https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ff63ef3c55b82796008453...
commit ff63ef3c55b82796008453d049bc50df80b4c4a6 Author: Thomas Faber thomas.faber@reactos.org AuthorDate: Sun Aug 5 12:57:25 2018 +0200 Commit: Thomas Faber thomas.faber@reactos.org CommitDate: Sun Aug 5 12:58:35 2018 +0200
[MSCONFIG] Fix buffer overflow when handling long service command lines. --- base/applications/msconfig/srvpage.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/base/applications/msconfig/srvpage.c b/base/applications/msconfig/srvpage.c index 4acdf2523e..044a512bab 100644 --- a/base/applications/msconfig/srvpage.c +++ b/base/applications/msconfig/srvpage.c @@ -233,14 +233,23 @@ GetServices ( void ) } }
- memset(&FileName, 0, MAX_PATH); - if (_tcscspn(pServiceConfig->lpBinaryPathName, _T("""))) + if (pServiceConfig->lpBinaryPathName[0] != _T('"')) { - _tcsncpy(FileName, pServiceConfig->lpBinaryPathName, _tcscspn(pServiceConfig->lpBinaryPathName, _T(" ")) ); + /* Assume everything before the first space is the binary path */ + /* FIXME: This is a reasonable heuristic but some + * services use unquoted paths with spaces */ + StringCchCopyN(FileName, + _countof(FileName), + pServiceConfig->lpBinaryPathName, + _tcscspn(pServiceConfig->lpBinaryPathName, _T(" "))); } else { - _tcscpy(FileName, pServiceConfig->lpBinaryPathName); + /* Binary path is inside the quotes */ + StringCchCopyN(FileName, + _countof(FileName), + pServiceConfig->lpBinaryPathName + 1, + _tcscspn(pServiceConfig->lpBinaryPathName + 1, _T("""))); }
HeapFree(GetProcessHeap(), 0, pServiceConfig);