Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-05 17:52:56 +00:00
Code Issues Projects Releases Packages Wiki Activity

- avoid buffer overflow in copy command argument handling

Browse source 
See issue #3108 for more details.

svn path=/trunk/; revision=32822
This commit is contained in:
Johannes Anderwald 2008-04-02 18:51:36 +00:00
parent e8d184da14
commit 2f9dde596f
1 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
reactos/base/shell/cmd/copy.c
View file

@ -485,6 +485,7 @@ INT cmd_copy (LPTSTR cmd, LPTSTR param)
LoadString(CMD_ModuleHandle, STRING_ERROR_INVALID_SWITCH, szMsg, RC_STRING_MAX_SIZE); LoadString(CMD_ModuleHandle, STRING_ERROR_INVALID_SWITCH, szMsg, RC_STRING_MAX_SIZE);
ConOutPrintf(szMsg, _totupper(arg[i][1])); ConOutPrintf(szMsg, _totupper(arg[i][1]));
nErrorLevel = 1; nErrorLevel = 1;
freep (arg);
return 1; return 1;
break; break;
} }
@ -504,8 +505,19 @@ INT cmd_copy (LPTSTR cmd, LPTSTR param)
/* Add these onto the source string /* Add these onto the source string
this way we can do all checks this way we can do all checks
directly on source string later on */ directly on source string later on */
_tcscat(arg[nSrc],arg[i]); TCHAR * ptr;
nFiles--; int length = (_tcslen(arg[nSrc]) +_tcslen(arg[i]) + _tcslen(arg[i+1]) + 1) * sizeof(TCHAR);
ptr = cmd_alloc(length);
if (ptr)
{
_tcscpy(ptr, arg[nSrc]);
_tcscat(ptr, arg[i]);
_tcscat(ptr, arg[i+1]);
cmd_free(arg[nSrc]);
arg[nSrc] = ptr;
i++;
nFiles -= 2;
}
} }
else if(nDes == -1) else if(nDes == -1)
{ {