[ros-diffs] [tfaber] 60804: [SHELL32] - Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov. - Use FIELD_OFFSET for variable-length structure CORE-7164

Author: tfaber Date: Thu Oct 31 16:21:57 2013 New Revision: 60804 URL: http://svn.reactos.org/svn/reactos?rev=60804&view=rev Log: [SHELL32] - Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov. - Use FIELD_OFFSET for variable-length structure CORE-7164 Modified: trunk/reactos/dll/win32/shell32/systray.cpp Modified: trunk/reactos/dll/win32/shell32/systray.cpp URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/shell32/systray.… ============================================================================== --- trunk/reactos/dll/win32/shell32/systray.cpp [iso-8859-1] (original) +++ trunk/reactos/dll/win32/shell32/systray.cpp [iso-8859-1] Thu Oct 31 16:21:57 2013 @@ -21,6 +21,8 @@ #include "precomp.h" +WINE_DEFAULT_DEBUG_CHANNEL(shell); + /* copy data structure for tray notifications */ typedef struct TrayNotifyCDS_Dummy { DWORD cookie; @@ -29,13 +31,13 @@ } TrayNotifyCDS_Dummy; /* The only difference between Shell_NotifyIconA and Shell_NotifyIconW is the call to SendMessageA/W. */ -static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, int nid_size, BOOL unicode) +static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, DWORD nid_size, BOOL unicode) { HWND hwnd; COPYDATASTRUCT data; BOOL ret = FALSE; - int len = sizeof(TrayNotifyCDS_Dummy) - sizeof(DWORD) + nid_size; + int len = FIELD_OFFSET(TrayNotifyCDS_Dummy, nicon_data) + nid_size; TrayNotifyCDS_Dummy* pnotify_data = (TrayNotifyCDS_Dummy*) alloca(len); @@ -61,7 +63,21 @@ */ BOOL WINAPI Shell_NotifyIconA(DWORD dwMessage, PNOTIFYICONDATAA pnid) { - return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, FALSE); + DWORD cbSize; + + /* Validate the cbSize as Windows XP does */ + if (pnid->cbSize != NOTIFYICONDATAA_V1_SIZE && + pnid->cbSize != NOTIFYICONDATAA_V2_SIZE && + pnid->cbSize != sizeof(NOTIFYICONDATAA)) + { + WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n", + pnid->cbSize, NOTIFYICONDATAA_V1_SIZE); + cbSize = NOTIFYICONDATAA_V1_SIZE; + } + else + cbSize = pnid->cbSize; + + return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, FALSE); } /************************************************************************* @@ -69,5 +85,19 @@ */ BOOL WINAPI Shell_NotifyIconW(DWORD dwMessage, PNOTIFYICONDATAW pnid) { - return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, TRUE); + DWORD cbSize; + + /* Validate the cbSize so that WM_COPYDATA doesn't crash the application */ + if (pnid->cbSize != NOTIFYICONDATAW_V1_SIZE && + pnid->cbSize != NOTIFYICONDATAW_V2_SIZE && + pnid->cbSize != sizeof(NOTIFYICONDATAW)) + { + WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n", + pnid->cbSize, NOTIFYICONDATAW_V1_SIZE); + cbSize = NOTIFYICONDATAA_V1_SIZE; + } + else + cbSize = pnid->cbSize; + + return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, TRUE); }