regedit: Validate REG_SZ import data before processing it any further.

Signed-off-by: Hugh McMaster <hugh.mcmaster@outlook.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

regedit: Validate REG_SZ import data before processing it any further.
9aff5c88 · Hugh McMaster · Alexandre Julliard · 0481f31d · 9aff5c88 · 9aff5c88
Commit 9aff5c88 authored Apr 25, 2017 by Hugh McMaster Committed by Alexandre Julliard Apr 25, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 15 deletions

regproc.c programs/regedit/regproc.c +22 -8

regedit.c programs/regedit/tests/regedit.c +7 -7

No files found.
--- a/programs/regedit/regproc.c
+++ b/programs/regedit/regproc.c
@@ -264,13 +264,19 @@ static DWORD getDataType(LPWSTR *lpValue, DWORD* parse_type)
 }
 /******************************************************************************
- * Replaces escape sequences with the characters.
+ * Replaces escape sequences with their character equivalents and
+ * null-terminates the string on the first non-escaped double quote.
+ *
+ * Assigns a pointer to the remaining unparsed data in the line.
+ * Returns TRUE or FALSE to indicate whether a closing double quote was found.
 */
-static int REGPROC_unescape_string(WCHAR* str)
+static BOOL REGPROC_unescape_string(WCHAR *str, WCHAR **unparsed)
 {
    int str_idx = 0;            /* current character under analysis */
    int val_idx = 0;            /* the last character of the unescaped string */
    int len = lstrlenW(str);
+    BOOL ret;
    for (str_idx = 0; str_idx < len; str_idx++, val_idx++) {
        if (str[str_idx] == '\\') {
            str_idx++;
@@ -293,12 +299,17 @@ static int REGPROC_unescape_string(WCHAR* str)
                str[val_idx] = str[str_idx];
                break;
            }
+        } else if (str[str_idx] == '"') {
+            break;
        } else {
            str[val_idx] = str[str_idx];
        }
    }
+    ret = (str[str_idx] == '"');
+    *unparsed = str + str_idx + 1;
    str[val_idx] = '\0';
-    return val_idx;
+    return ret;
 }
 static HKEY parseKeyName(LPWSTR lpKeyName, LPWSTR *lpKeyPath)
@@ -397,12 +408,14 @@ static LONG setValue(WCHAR* val_name, WCHAR* val_data, BOOL is_unicode)
    if (dwParseType == REG_SZ)          /* no conversion for string */
    {
-        dwLen = REGPROC_unescape_string(val_data);
+        WCHAR *line;
-        if(!dwLen || val_data[dwLen-1] != '"')
+        if (!REGPROC_unescape_string(val_data, &line))
+            return ERROR_INVALID_DATA;
+        while (*line == ' ' || *line == '\t') line++;
+        if (*line && *line != ';')
            return ERROR_INVALID_DATA;
-        val_data[dwLen-1] = '\0'; /* remove last quotes */
        lpbData = (BYTE*) val_data;
-        dwLen = dwLen * sizeof(WCHAR); /* size is in bytes */
+        dwLen = (lstrlenW(val_data) + 1) * sizeof(WCHAR); /* size is in bytes */
    }
    else if (dwParseType == REG_DWORD)  /* Convert the dword types */
    {
@@ -520,6 +533,7 @@ static void processSetValue(WCHAR* line, BOOL is_unicode)
 {
    WCHAR* val_name;                   /* registry value name   */
    WCHAR* val_data;                   /* registry value data   */
+    WCHAR* p;
    int line_idx = 0;                 /* current character under analysis */
    LONG res;
@@ -570,7 +584,7 @@ static void processSetValue(WCHAR* line, BOOL is_unicode)
    while (line_idx > 0 && isspaceW(val_data[line_idx-1])) line_idx--;
    val_data[line_idx] = '\0';
-    REGPROC_unescape_string(val_name);
+    REGPROC_unescape_string(val_name, &p);
    res = setValue(val_name, val_data, is_unicode);
    if ( res != ERROR_SUCCESS )
        output_message(STRING_SETVALUE_FAILED, val_name, currentKeyName);

--- a/programs/regedit/tests/regedit.c
+++ b/programs/regedit/tests/regedit.c
@@ -560,8 +560,8 @@ static void test_invalid_import(void)
                    "[HKEY_CURRENT_USER\\" KEY_BASE "]\n"
                    "\"Test15a\"=\"foo\"bar\"\n"
                    "\"Test15b\"=\"foo\"\"bar\"\n\n");
-    todo_wine verify_reg_nonexist(hkey, "Test15a");
+    verify_reg_nonexist(hkey, "Test15a");
-    todo_wine verify_reg_nonexist(hkey, "Test15b");
+    verify_reg_nonexist(hkey, "Test15b");
    exec_import_str("REGEDIT4\n\n"
                    "[HKEY_CURRENT_USER\\" KEY_BASE "]\n"
@@ -607,7 +607,7 @@ static void test_comments(void)
                    "\"Wine5\"=dword:01020304 #comment\n"
                    "\"Wine6\"=dword:02040608 ;comment\n\n");
    verify_reg_nonexist(hkey, "Wine3");
-    todo_wine verify_reg(hkey, "Wine4", REG_SZ, "Value 2", 8, 0);
+    verify_reg(hkey, "Wine4", REG_SZ, "Value 2", 8, 0);
    verify_reg_nonexist(hkey, "Wine5");
    dword = 0x2040608;
    verify_reg(hkey, "Wine6", REG_DWORD, &dword, sizeof(dword), 0);
@@ -639,9 +639,9 @@ static void test_comments(void)
    verify_reg_nonexist(hkey, "Comment2");
    verify_reg_nonexist(hkey, "Comment3");
    verify_reg_nonexist(hkey, "Comment4");
-    todo_wine verify_reg_nonexist(hkey, "Wine11");
+    verify_reg_nonexist(hkey, "Wine11");
    verify_reg_nonexist(hkey, "Comment5");
-    verify_reg(hkey, "Wine12", REG_SZ, "Value 7", 8, TODO_REG_SIZE|TODO_REG_DATA);
+    verify_reg(hkey, "Wine12", REG_SZ, "Value 7", 8, 0);
    verify_reg_nonexist(hkey, "Comment6");
    exec_import_str("REGEDIT4\n\n"
@@ -690,8 +690,8 @@ static void test_comments(void)
                    "\"Wine26b\"=\"Value2\"\t\t;comment\n"
                    "\"Wine26c\"=\"Value3\"  #comment\n"
                    "\"Wine26d\"=\"Value4\"\t\t#comment\n\n");
-    todo_wine verify_reg(hkey, "Wine26a", REG_SZ, "Value1", 7, 0);
+    verify_reg(hkey, "Wine26a", REG_SZ, "Value1", 7, 0);
-    todo_wine verify_reg(hkey, "Wine26b", REG_SZ, "Value2", 7, 0);
+    verify_reg(hkey, "Wine26b", REG_SZ, "Value2", 7, 0);
    verify_reg_nonexist(hkey, "Wine26c");
    verify_reg_nonexist(hkey, "Wine26d");