Commit 726acf0f authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard

shell32: Check size of input parameters before copying to fixed length buffers.

parent dbefe8cb
...@@ -788,14 +788,25 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ...@@ -788,14 +788,25 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
WCHAR * exec; WCHAR * exec;
DWORD ddeInst = 0; DWORD ddeInst = 0;
DWORD tid; DWORD tid;
DWORD resultLen; DWORD resultLen, endkeyLen;
HSZ hszApp, hszTopic; HSZ hszApp, hszTopic;
HCONV hConv; HCONV hConv;
HDDEDATA hDdeData; HDDEDATA hDdeData;
unsigned ret = SE_ERR_NOASSOC; unsigned ret = SE_ERR_NOASSOC;
BOOL unicode = !(GetVersion() & 0x80000000); BOOL unicode = !(GetVersion() & 0x80000000);
if (strlenW(key) + 1 > sizeof(regkey) / sizeof(regkey[0]))
{
FIXME("input parameter %s larger than buffer\n", debugstr_w(key));
return 2;
}
strcpyW(regkey, key); strcpyW(regkey, key);
endkeyLen = sizeof(regkey) / sizeof(regkey[0]) - (endkey - regkey);
if (strlenW(wApplication) + 1 > endkeyLen)
{
FIXME("endkey %s overruns buffer\n", debugstr_w(wApplication));
return 2;
}
strcpyW(endkey, wApplication); strcpyW(endkey, wApplication);
applen = sizeof(app); applen = sizeof(app);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, app, &applen) != ERROR_SUCCESS) if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, app, &applen) != ERROR_SUCCESS)
...@@ -809,6 +820,12 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ...@@ -809,6 +820,12 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
/* Get application command from start string and find filename of application */ /* Get application command from start string and find filename of application */
if (*start == '"') if (*start == '"')
{ {
if (strlenW(start + 1) + 1 > sizeof(command) / sizeof(command[0]))
{
FIXME("size of input parameter %s larger than buffer\n",
debugstr_w(start + 1));
return 2;
}
strcpyW(command, start+1); strcpyW(command, start+1);
if ((ptr = strchrW(command, '"'))) if ((ptr = strchrW(command, '"')))
*ptr = 0; *ptr = 0;
...@@ -835,6 +852,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ...@@ -835,6 +852,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
ERR("Unable to find application path for command %s\n", debugstr_w(start)); ERR("Unable to find application path for command %s\n", debugstr_w(start));
return ERROR_ACCESS_DENIED; return ERROR_ACCESS_DENIED;
} }
if (strlenW(ptr) + 1 > sizeof(app) / sizeof(app[0]))
{
FIXME("size of found path %s larger than buffer\n", debugstr_w(ptr));
return 2;
}
strcpyW(app, ptr); strcpyW(app, ptr);
/* Remove extensions (including .so) */ /* Remove extensions (including .so) */
...@@ -848,6 +870,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ...@@ -848,6 +870,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
*ptr = 0; *ptr = 0;
} }
if (strlenW(wTopic) + 1 > endkeyLen)
{
FIXME("endkey %s overruns buffer\n", debugstr_w(wTopic));
return 2;
}
strcpyW(endkey, wTopic); strcpyW(endkey, wTopic);
topiclen = sizeof(topic); topiclen = sizeof(topic);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, topic, &topiclen) != ERROR_SUCCESS) if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, topic, &topiclen) != ERROR_SUCCESS)
...@@ -890,6 +917,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ...@@ -890,6 +917,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
SetLastError(ERROR_DDE_FAIL); SetLastError(ERROR_DDE_FAIL);
return 30; /* whatever */ return 30; /* whatever */
} }
if (strlenW(wIfexec) + 1 > endkeyLen)
{
FIXME("endkey %s overruns buffer\n", debugstr_w(wIfexec));
return 2;
}
strcpyW(endkey, wIfexec); strcpyW(endkey, wIfexec);
ifexeclen = sizeof(ifexec); ifexeclen = sizeof(ifexec);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, ifexec, &ifexeclen) == ERROR_SUCCESS) if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, ifexec, &ifexeclen) == ERROR_SUCCESS)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment