Author: weiden
Date: Wed Aug 1 17:34:48 2007
New Revision: 28072
URL: http://svn.reactos.org/svn/reactos?rev=28072&view=rev
Log:
Fix buffer overflow bug in mkdir command
See issue #2499 for more details.
Modified:
trunk/reactos/base/shell/cmd/internal.c
Modified: trunk/reactos/base/shell/cmd/internal.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/internal.c?…
==============================================================================
--- trunk/reactos/base/shell/cmd/internal.c (original)
+++ trunk/reactos/base/shell/cmd/internal.c Wed Aug 1 17:34:48 2007
@@ -463,7 +463,7 @@
{
LPTSTR dir; /* pointer to the directory to change to */
LPTSTR place; /* used to search for the \ when no space is used */
- LPTSTR *p = NULL;
+ LPTSTR new_dir, *p = NULL;
INT argc;
nErrorLevel = 0;
if (!_tcsncmp (param, _T("/?"), 2))
@@ -482,7 +482,13 @@
break;
if (*place)
- dir = place;
+ {
+ argc = 0;
+ if (add_entry(&argc, &p, place))
+ dir = place;
+ else
+ dir = NULL;
+ }
else
/* signal that there are no parameters */
dir = NULL;
@@ -512,7 +518,14 @@
/* Add a \ at the end of the path is there isnt on already */
if (dir[_tcslen (dir) - 1] != _T('\\'))
- _tcscat(dir,_T("\\"));
+ {
+ new_dir = cmd_realloc(dir, (_tcslen (dir) + 2) * sizeof(TCHAR));
+ if (new_dir != NULL)
+ {
+ p[0] = dir = new_dir;
+ _tcscat(dir,_T("\\"));
+ }
+ }
if (!MakeFullPath(dir))
{