Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-05-29 14:08:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

[CONSRV]

Browse source 
- Fix potential Out-of-bounds access during string copy/concatenation. CID 1322098.
- Fix check for NULL after potential dereference. CID 1322175.

svn path=/trunk/; revision=71913
This commit is contained in:
Hermès Bélusca-Maïto 2016-07-13 00:06:09 +00:00
parent a5b76eb779
commit 47d9985bb4
2 changed files with 10 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
reactos/win32ss/user/winsrv/concfg/settings.c
View file

@ -102,13 +102,12 @@ TranslateConsoleName(OUT LPWSTR DestString,
wLength = GetWindowsDirectoryW(DestString, MaxStrLen);
if ((wLength > 0) && (_wcsnicmp(ConsoleName, DestString, wLength) == 0))
{
wcsncpy(DestString, L"%SystemRoot%", MaxStrLen);
// FIXME: Fix possible buffer overflows there !!!!!
wcsncat(DestString, ConsoleName + wLength, MaxStrLen);
StringCchCopyW(DestString, MaxStrLen, L"%SystemRoot%");
StringCchCatW(DestString, MaxStrLen, ConsoleName + wLength);
}
else
{
wcsncpy(DestString, ConsoleName, MaxStrLen);
StringCchCopyW(DestString, MaxStrLen, ConsoleName);
}
/* Replace path separators (backslashes) by underscores */
@ -155,10 +154,10 @@ ConCfgOpenUserSettings(LPCWSTR ConsoleTitle,
* to make the registry happy, replace all the
* backslashes by underscores.
*/
TranslateConsoleName(szBuffer2, ConsoleTitle, MAX_PATH);
TranslateConsoleName(szBuffer2, ConsoleTitle, ARRAYSIZE(szBuffer2));
/* Create the registry path */
wcsncat(szBuffer, szBuffer2, MAX_PATH - wcslen(szBuffer) - 1);
StringCchCatW(szBuffer, MAX_PATH - wcslen(szBuffer) - 1, szBuffer2);
/* Create or open the registry key */
if (Create)

12
reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c
View file

@ -1455,15 +1455,16 @@ OnNcDestroy(HWND hWnd)
{
PGUI_CONSOLE_DATA GuiData = GuiGetGuiData(hWnd);
if (GuiData->IsWindowVisible)
{
KillTimer(hWnd, CONGUI_UPDATE_TIMER);
}
/* Free the GuiData registration */
SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
GetSystemMenu(hWnd, TRUE);
if (GuiData)
{
if (GuiData->IsWindowVisible)
KillTimer(hWnd, CONGUI_UPDATE_TIMER);
/* Free the terminal framebuffer */
if (GuiData->hMemDC ) DeleteDC(GuiData->hMemDC);
if (GuiData->hBitmap) DeleteObject(GuiData->hBitmap);
@ -1471,9 +1472,6 @@ OnNcDestroy(HWND hWnd)
DeleteFonts(GuiData);
}
/* Free the GuiData registration */
SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
return DefWindowProcW(hWnd, WM_NCDESTROY, 0, 0);
}