[tfaber] 60804: [SHELL32] - Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov. - Use FIELD_OFFSET for variable-length structure CORE-7164
31 Oct
2013
31 Oct
'13
4:21 p.m.
Author: tfaber
Date: Thu Oct 31 16:21:57 2013
New Revision: 60804
URL: http://svn.reactos.org/svn/reactos?rev=60804&view=rev
Log:
[SHELL32]
- Handle invalid cbSize in Shell_NotifyIcon[AW]. Patch by Ivan Rodionov.
- Use FIELD_OFFSET for variable-length structure
CORE-7164
Modified:
trunk/reactos/dll/win32/shell32/systray.cpp
Modified: trunk/reactos/dll/win32/shell32/systray.cpp
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/shell32/systray.…
==============================================================================
--- trunk/reactos/dll/win32/shell32/systray.cpp [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/shell32/systray.cpp [iso-8859-1] Thu Oct 31 16:21:57 2013
@@ -21,6 +21,8 @@
#include "precomp.h"
+WINE_DEFAULT_DEBUG_CHANNEL(shell);
+
/* copy data structure for tray notifications */
typedef struct TrayNotifyCDS_Dummy {
DWORD cookie;
@@ -29,13 +31,13 @@
} TrayNotifyCDS_Dummy;
/* The only difference between Shell_NotifyIconA and Shell_NotifyIconW is the call to
SendMessageA/W. */
-static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, int nid_size,
BOOL unicode)
+static BOOL SHELL_NotifyIcon(DWORD dwMessage, void* pnid, HWND nid_hwnd, DWORD nid_size,
BOOL unicode)
{
HWND hwnd;
COPYDATASTRUCT data;
BOOL ret = FALSE;
- int len = sizeof(TrayNotifyCDS_Dummy) - sizeof(DWORD) + nid_size;
+ int len = FIELD_OFFSET(TrayNotifyCDS_Dummy, nicon_data) + nid_size;
TrayNotifyCDS_Dummy* pnotify_data = (TrayNotifyCDS_Dummy*) alloca(len);
@@ -61,7 +63,21 @@
*/
BOOL WINAPI Shell_NotifyIconA(DWORD dwMessage, PNOTIFYICONDATAA pnid)
{
- return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, FALSE);
+ DWORD cbSize;
+
+ /* Validate the cbSize as Windows XP does */
+ if (pnid->cbSize != NOTIFYICONDATAA_V1_SIZE &&
+ pnid->cbSize != NOTIFYICONDATAA_V2_SIZE &&
+ pnid->cbSize != sizeof(NOTIFYICONDATAA))
+ {
+ WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n",
+ pnid->cbSize, NOTIFYICONDATAA_V1_SIZE);
+ cbSize = NOTIFYICONDATAA_V1_SIZE;
+ }
+ else
+ cbSize = pnid->cbSize;
+
+ return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, FALSE);
}
/*************************************************************************
@@ -69,5 +85,19 @@
*/
BOOL WINAPI Shell_NotifyIconW(DWORD dwMessage, PNOTIFYICONDATAW pnid)
{
- return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, pnid->cbSize, TRUE);
+ DWORD cbSize;
+
+ /* Validate the cbSize so that WM_COPYDATA doesn't crash the application */
+ if (pnid->cbSize != NOTIFYICONDATAW_V1_SIZE &&
+ pnid->cbSize != NOTIFYICONDATAW_V2_SIZE &&
+ pnid->cbSize != sizeof(NOTIFYICONDATAW))
+ {
+ WARN("Invalid cbSize (%d) - using only Win95 fields (size=%d)\n",
+ pnid->cbSize, NOTIFYICONDATAW_V1_SIZE);
+ cbSize = NOTIFYICONDATAA_V1_SIZE;
+ }
+ else
+ cbSize = pnid->cbSize;
+
+ return SHELL_NotifyIcon(dwMessage, pnid, pnid->hWnd, cbSize, TRUE);
}
4033
days inactive
4033
days old
0 comments
1 participants
participants (1)
-
tfaber@svn.reactos.org