Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-04-27 17:10:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ADVAPI32] Fix a buffer overflow in RegQueryValueExA

Browse source 
The code was trying to check whether the output string was already NULL terminated by RtlUnicodeToMultiByteN before NULL terminating it by checking DataStr[*count - 1] for a NULL terminator. But since RtlUnicodeToMultiByteSize always returns the size without the NULL terminator, DataStr[*count - 1] would always be the last actual character, never an optional NULL terminator.
For 0 sized strings this would actually lead to accessing the output buffer at position -1 (on 32 bit)  or 0xFFFFFFFF (on 64 bit).
Fix this by removing the check. This fixes a crash in advapi32_winetest:registry on x64.
This commit is contained in:
Timo Kreuzer 2022-12-10 14:07:16 +02:00
parent 2154e259e7
commit c5158963a3
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dll/win32/advapi32/reg/reg.c
View file

@ -4088,6 +4088,7 @@ RegQueryValueExA(
/* We don't need this anymore */
RtlFreeUnicodeString(&nameW);
/* Get the length for the multi-byte string (without the terminating NULL!) */
DataLength = *count;
RtlUnicodeToMultiByteSize(count, Buffer, BufferSize);
@ -4101,7 +4102,7 @@ RegQueryValueExA(
RtlUnicodeToMultiByteN(DataStr, DataLength, NULL, Buffer, BufferSize);
/* NULL-terminate if there is enough room */
if ((DataLength > *count) && (DataStr[*count - 1] != '\0'))
if (DataLength > *count)
DataStr[*count] = '\0';
RtlFreeHeap(RtlGetProcessHeap(), 0, Buffer);