[tfaber] 60804: [SHELL32] - Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov. - Use FIELD_OFFSET for variable-length structure CORE-7164 - Ros-diffs

31 Oct 2013

Author: tfaber
Date: Thu Oct 31 16:21:57 2013
New Revision: 60804
URL: http://svn.reactos.org/svn/reactos?rev=60804&view=rev
Log:
[SHELL32]
- Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov.
- Use FIELD_OFFSET for variable-length structure
CORE-7164
Modified:
    trunk/reactos/dll/win32/shell32/systray.cpp
Modified: trunk/reactos/dll/win32/shell32/systray.cpp
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/shell32/systray.c...
==============================================================================

--- trunk/reactos/dll/win32/shell32/systray.cpp	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/shell32/systray.cpp	[iso-8859-1] Thu Oct 31 16:21:57 2013
@@ -21,6 +21,8 @@
#include "precomp.h"
+WINE_DEFAULT_DEBUG_CHANNEL(shell);
+
 /* copy data structure for tray notifications */
 typedef struct TrayNotifyCDS_Dummy {
     DWORD    cookie;
@@ -29,13 +31,13 @@
 } TrayNotifyCDS_Dummy;
/* The only difference between Shell_NotifyIconA and Shell_NotifyIconW is the call to SendMessageA/W. */
-static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, int nid_size, BOOL unicode)
+static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, DWORD nid_size, BOOL unicode)
 {
     HWND hwnd;
     COPYDATASTRUCT data;
BOOL ret = FALSE;
-    int len = sizeof(TrayNotifyCDS_Dummy) - sizeof(DWORD) + nid_size;
+    int len = FIELD_OFFSET(TrayNotifyCDS_Dummy, nicon_data) + nid_size;
TrayNotifyCDS_Dummy* pnotify_data = (TrayNotifyCDS_Dummy*) alloca(len);
@@ -61,7 +63,21 @@
  */
 BOOL WINAPI Shell_NotifyIconA(DWORD dwMessage, PNOTIFYICONDATAA pnid)
 {
-    return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, FALSE);
+    DWORD cbSize;
+
+    /* Validate the cbSize as Windows XP does */
+    if (pnid->cbSize != NOTIFYICONDATAA_V1_SIZE &&
+        pnid->cbSize != NOTIFYICONDATAA_V2_SIZE &&
+        pnid->cbSize != sizeof(NOTIFYICONDATAA))
+    {
+        WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n",
+            pnid->cbSize, NOTIFYICONDATAA_V1_SIZE);
+        cbSize = NOTIFYICONDATAA_V1_SIZE;
+    }
+    else
+        cbSize = pnid->cbSize;
+
+    return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, FALSE);
 }
/*************************************************************************
@@ -69,5 +85,19 @@
  */
 BOOL WINAPI Shell_NotifyIconW(DWORD dwMessage, PNOTIFYICONDATAW pnid)
 {
-    return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, TRUE);
+    DWORD cbSize;
+
+    /* Validate the cbSize so that WM_COPYDATA doesn't crash the application */
+    if (pnid->cbSize != NOTIFYICONDATAW_V1_SIZE &&
+        pnid->cbSize != NOTIFYICONDATAW_V2_SIZE &&
+        pnid->cbSize != sizeof(NOTIFYICONDATAW))
+    {
+        WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n",
+            pnid->cbSize, NOTIFYICONDATAW_V1_SIZE);
+        cbSize = NOTIFYICONDATAA_V1_SIZE;
+    }
+    else
+        cbSize = pnid->cbSize;
+
+    return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, TRUE);
 }

    