- avoid buffer overflow in copy command argument handling

See issue #3108 for more details. svn path=/trunk/; revision=32822
2024-10-05 17:06:29 +00:00 · 2008-04-02 18:51:36 +00:00 · 2008-04-02 18:51:36 +00:00 · 2f9dde596f
parent e8d184da14
commit 2f9dde596f
1 changed files with 14 additions and 2 deletions
--- a/reactos/base/shell/cmd/copy.c
+++ b/reactos/base/shell/cmd/copy.c
@ -485,6 +485,7 @@ INT cmd_copy (LPTSTR cmd, LPTSTR param)
                        LoadString(CMD_ModuleHandle, STRING_ERROR_INVALID_SWITCH, szMsg, RC_STRING_MAX_SIZE);
                        ConOutPrintf(szMsg, _totupper(arg[i][1]));
                        nErrorLevel = 1;
+						freep (arg);
                        return 1;
                        break;
                }
@ -504,8 +505,19 @@ INT cmd_copy (LPTSTR cmd, LPTSTR param)
                /* Add these onto the source string
                   this way we can do all checks
                    directly on source string later on */
-                _tcscat(arg[nSrc],arg[i]);
-                nFiles--;
+				TCHAR * ptr;
+				int length = (_tcslen(arg[nSrc]) +_tcslen(arg[i]) + _tcslen(arg[i+1]) + 1) * sizeof(TCHAR);
+				ptr = cmd_alloc(length);
+				if (ptr)
+				{
+					_tcscpy(ptr, arg[nSrc]);
+					_tcscat(ptr, arg[i]);
+					_tcscat(ptr, arg[i+1]);
+					cmd_free(arg[nSrc]);
+					arg[nSrc] = ptr;
+					i++;
+					nFiles -= 2;
+				}
            }
            else if(nDes == -1)
            {