From 47d9985bb478e719fd89bc0eb9033f26b3325240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?= Date: Wed, 13 Jul 2016 00:06:09 +0000 Subject: [PATCH] [CONSRV] - Fix potential Out-of-bounds access during string copy/concatenation. CID 1322098. - Fix check for NULL after potential dereference. CID 1322175. svn path=/trunk/; revision=71913 --- reactos/win32ss/user/winsrv/concfg/settings.c | 11 +++++------ .../user/winsrv/consrv/frontends/gui/conwnd.c | 12 +++++------- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/reactos/win32ss/user/winsrv/concfg/settings.c b/reactos/win32ss/user/winsrv/concfg/settings.c index bf95a578f78..0b5787639c2 100644 --- a/reactos/win32ss/user/winsrv/concfg/settings.c +++ b/reactos/win32ss/user/winsrv/concfg/settings.c @@ -102,13 +102,12 @@ TranslateConsoleName(OUT LPWSTR DestString, wLength = GetWindowsDirectoryW(DestString, MaxStrLen); if ((wLength > 0) && (_wcsnicmp(ConsoleName, DestString, wLength) == 0)) { - wcsncpy(DestString, L"%SystemRoot%", MaxStrLen); - // FIXME: Fix possible buffer overflows there !!!!! - wcsncat(DestString, ConsoleName + wLength, MaxStrLen); + StringCchCopyW(DestString, MaxStrLen, L"%SystemRoot%"); + StringCchCatW(DestString, MaxStrLen, ConsoleName + wLength); } else { - wcsncpy(DestString, ConsoleName, MaxStrLen); + StringCchCopyW(DestString, MaxStrLen, ConsoleName); } /* Replace path separators (backslashes) by underscores */ @@ -155,10 +154,10 @@ ConCfgOpenUserSettings(LPCWSTR ConsoleTitle, * to make the registry happy, replace all the * backslashes by underscores. */ - TranslateConsoleName(szBuffer2, ConsoleTitle, MAX_PATH); + TranslateConsoleName(szBuffer2, ConsoleTitle, ARRAYSIZE(szBuffer2)); /* Create the registry path */ - wcsncat(szBuffer, szBuffer2, MAX_PATH - wcslen(szBuffer) - 1); + StringCchCatW(szBuffer, MAX_PATH - wcslen(szBuffer) - 1, szBuffer2); /* Create or open the registry key */ if (Create) diff --git a/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c b/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c index 2ff93b9c044..e55ba7096ff 100644 --- a/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c +++ b/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c @@ -1455,15 +1455,16 @@ OnNcDestroy(HWND hWnd) { PGUI_CONSOLE_DATA GuiData = GuiGetGuiData(hWnd); - if (GuiData->IsWindowVisible) - { - KillTimer(hWnd, CONGUI_UPDATE_TIMER); - } + /* Free the GuiData registration */ + SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL); GetSystemMenu(hWnd, TRUE); if (GuiData) { + if (GuiData->IsWindowVisible) + KillTimer(hWnd, CONGUI_UPDATE_TIMER); + /* Free the terminal framebuffer */ if (GuiData->hMemDC ) DeleteDC(GuiData->hMemDC); if (GuiData->hBitmap) DeleteObject(GuiData->hBitmap); @@ -1471,9 +1472,6 @@ OnNcDestroy(HWND hWnd) DeleteFonts(GuiData); } - /* Free the GuiData registration */ - SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL); - return DefWindowProcW(hWnd, WM_NCDESTROY, 0, 0); }