Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-05-23 11:04:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix buffer read past end problem. (#5146)

Browse source 
Fixes crashes in regedit-find affecting CORE-15896 and CORE-18230. After possible RegQueryValueExW append 3 zero bytes to guarantee that we will end with a UNICODE NULL.
This commit is contained in:
Doug Lyons 2023-03-14 20:57:54 -05:00 committed by GitHub
parent 44b2a46d03
commit cce3eb9393
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
base/applications/regedit/find.c
View file

@ -223,7 +223,7 @@ BOOL RegFindRecurse(
NULL, &cb); NULL, &cb);
if (lResult != ERROR_SUCCESS) if (lResult != ERROR_SUCCESS)
goto err; goto err;
pb = malloc(cb); pb = malloc(cb + 3); /* To avoid buffer overrun, append 3 NULs */
if (pb == NULL) if (pb == NULL)
goto err; goto err;
lResult = RegQueryValueExW(hSubKey, ppszNames[i], NULL, &type, lResult = RegQueryValueExW(hSubKey, ppszNames[i], NULL, &type,
@ -231,6 +231,11 @@ BOOL RegFindRecurse(
if (lResult != ERROR_SUCCESS) if (lResult != ERROR_SUCCESS)
goto err; goto err;
/* To avoid buffer overrun, append 3 NUL bytes.
NOTE: cb can be an odd number although UNICODE_NULL is two bytes.
Two bytes at odd position is not enough to avoid buffer overrun. */
pb[cb] = pb[cb + 1] = pb[cb + 2] = 0;
if ((s_dwFlags & RSF_LOOKATDATA) && if ((s_dwFlags & RSF_LOOKATDATA) &&
CompareData(type, (LPWSTR) pb, s_szFindWhat)) CompareData(type, (LPWSTR) pb, s_szFindWhat))
{ {