[janderwald] 32822: - avoid buffer overflow in copy command argument handling See issue #3108 for more details. - Ros-diffs

2 Apr 2008

Author: janderwald
Date: Wed Apr  2 13:51:36 2008
New Revision: 32822
URL: http://svn.reactos.org/svn/reactos?rev=32822&view=rev
Log:
- avoid buffer overflow in copy command argument handling
See issue #3108 for more details.
Modified:
    trunk/reactos/base/shell/cmd/copy.c
Modified: trunk/reactos/base/shell/cmd/copy.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/copy.c?rev=3...
==============================================================================

--- trunk/reactos/base/shell/cmd/copy.c [iso-8859-1] (original)
+++ trunk/reactos/base/shell/cmd/copy.c [iso-8859-1] Wed Apr  2 13:51:36 2008
@@ -485,6 +485,7 @@
                         LoadString(CMD_ModuleHandle, STRING_ERROR_INVALID_SWITCH, szMsg, RC_STRING_MAX_SIZE);
                         ConOutPrintf(szMsg, _totupper(arg[i][1]));
                         nErrorLevel = 1;
+						freep (arg);
                         return 1;
                         break;
                 }
@@ -504,8 +505,19 @@
                 /* Add these onto the source string
                    this way we can do all checks
                     directly on source string later on */
-                _tcscat(arg[nSrc],arg[i]);
-                nFiles--;
+				TCHAR * ptr;
+				int length = (_tcslen(arg[nSrc]) +_tcslen(arg[i]) + _tcslen(arg[i+1]) + 1) * sizeof(TCHAR);
+				ptr = cmd_alloc(length);
+				if (ptr)
+				{
+					_tcscpy(ptr, arg[nSrc]);
+					_tcscat(ptr, arg[i]);
+					_tcscat(ptr, arg[i+1]);
+					cmd_free(arg[nSrc]);
+					arg[nSrc] = ptr;
+					i++;
+					nFiles -= 2;
+				}
             }
             else if(nDes == -1)
             {

    