Author: weiden Date: Wed Aug 1 17:34:48 2007 New Revision: 28072 URL: http://svn.reactos.org/svn/reactos?rev=28072&view=rev Log: Fix buffer overflow bug in mkdir command See issue #2499 for more details. Modified: trunk/reactos/base/shell/cmd/internal.c Modified: trunk/reactos/base/shell/cmd/internal.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/internal.c?… ============================================================================== --- trunk/reactos/base/shell/cmd/internal.c (original) +++ trunk/reactos/base/shell/cmd/internal.c Wed Aug 1 17:34:48 2007 @@ -463,7 +463,7 @@ { LPTSTR dir; /* pointer to the directory to change to */ LPTSTR place; /* used to search for the \ when no space is used */ - LPTSTR *p = NULL; + LPTSTR new_dir, *p = NULL; INT argc; nErrorLevel = 0; if (!_tcsncmp (param, _T("/?"), 2)) @@ -482,7 +482,13 @@ break; if (*place) - dir = place; + { + argc = 0; + if (add_entry(&argc, &p, place)) + dir = place; + else + dir = NULL; + } else /* signal that there are no parameters */ dir = NULL; @@ -512,7 +518,14 @@ /* Add a \ at the end of the path is there isnt on already */ if (dir[_tcslen (dir) - 1] != _T('\\')) - _tcscat(dir,_T("\\")); + { + new_dir = cmd_realloc(dir, (_tcslen (dir) + 2) * sizeof(TCHAR)); + if (new_dir != NULL) + { + p[0] = dir = new_dir; + _tcscat(dir,_T("\\")); + } + } if (!MakeFullPath(dir)) {