From b4575eccd77c37eb1c3132660c288e91ac378ed9 Mon Sep 17 00:00:00 2001
From: Katayama Hirofumi MZ <katayama.hirofumi.mz@gmail.com>
Date: Fri, 16 Sep 2022 17:59:48 +0900
Subject: [PATCH] [USER32] Don't allow invalid 'IME File' values

Improve security. CORE-11700
---
 win32ss/user/user32/windows/input.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/win32ss/user/user32/windows/input.c b/win32ss/user/user32/windows/input.c
index a9aac9e82a3..39ad3ab951f 100644
--- a/win32ss/user/user32/windows/input.c
+++ b/win32ss/user/user32/windows/input.c
@@ -801,7 +801,11 @@ IntLoadKeyboardLayout(
             {
                 WCHAR szPath[MAX_PATH];
                 GetSystemLibraryPath(szPath, _countof(szPath), szImeFileName);
-                if (GetFileAttributesW(szPath) == INVALID_FILE_ATTRIBUTES) /* Does not exist? */
+
+                /* We don't allow the invalid "IME File" values for security reason */
+                if (dwType != REG_SZ || szImeFileName[0] == 0 ||
+                    wcsspn(szImeFileName, L":\\/") != wcslen(szImeFileName) ||
+                    GetFileAttributesW(szPath) == INVALID_FILE_ATTRIBUTES) /* Does not exist? */
                 {
                     bIsIME = FALSE;
                     wHigh = 0;