Author: janderwald Date: Sat Sep 6 12:33:17 2014 New Revision: 64050 URL: http://svn.reactos.org/svn/reactos?rev=64050&view=rev Log: [SHELL32] - rewrite _ILCreateFontItem - fix a buffer overflow Modified: trunk/reactos/dll/win32/shell32/folders/fonts.cpp Modified: trunk/reactos/dll/win32/shell32/folders/fonts.cpp URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/shell32/folders/… ============================================================================== --- trunk/reactos/dll/win32/shell32/folders/fonts.cpp [iso-8859-1] (original) +++ trunk/reactos/dll/win32/shell32/folders/fonts.cpp [iso-8859-1] Sat Sep 6 12:33:17 2014 @@ -78,30 +78,28 @@ static LPITEMIDLIST _ILCreateFontItem(LPWSTR pszFont, LPWSTR pszFile) { - PIDLDATA tmp; LPITEMIDLIST pidl; - PIDLFontStruct * p; - int size0 = (char*)&tmp.u.cfont.szName - (char*)&tmp.u.cfont; - int size = size0; - - tmp.type = 0x00; - tmp.u.cfont.dummy = 0xFF; - tmp.u.cfont.offsFile = wcslen(pszFont) + 1; - - size += (tmp.u.cfont.offsFile + wcslen(pszFile) + 1) * sizeof(WCHAR); - - pidl = (LPITEMIDLIST)SHAlloc(size + 4); + LPPIDLDATA data; + int length = wcslen(pszFont) + 1; + int size = sizeof(PIDLDATA) + sizeof(ITEMIDLIST); + + size += length * sizeof(WCHAR); + size += (wcslen(pszFile) + 1) * sizeof(WCHAR); + + pidl = (LPITEMIDLIST)SHAlloc(size + 5); if (!pidl) return pidl; - pidl->mkid.cb = size + 2; - memcpy(pidl->mkid.abID, &tmp, 2 + size0); - - p = &((PIDLDATA*)pidl->mkid.abID)->u.cfont; - wcscpy(p->szName, pszFont); - wcscpy(p->szName + tmp.u.cfont.offsFile, pszFile); - - *(WORD*)((char*)pidl + (size + 2)) = 0; + ZeroMemory(pidl, size + 5); + pidl->mkid.cb = size + 3; + + data = _ILGetDataPointer(pidl); + data->type = 0x00; + data->u.cfont.dummy = 0xFF; + data->u.cfont.offsFile = length; + wcscpy(data->u.cfont.szName, pszFont); + wcscpy(&data->u.cfont.szName[length], pszFile); + return pidl; } @@ -607,7 +605,7 @@ { if (StrFormatByteSizeW(FileSize.QuadPart, buffer, sizeof(buffer) / sizeof(WCHAR))) { - psd->str.pOleStr = (LPWSTR)CoTaskMemAlloc(wcslen(buffer) + 1); + psd->str.pOleStr = (LPWSTR)CoTaskMemAlloc((wcslen(buffer) + 1) * sizeof(WCHAR)); if (!psd->str.pOleStr) { CloseHandle(hFile);