[weiden] 28072: Fix buffer overflow bug in mkdir command See issue #2499 for more details. - Ros-diffs

1 Aug 2007

Author: weiden
Date: Wed Aug  1 17:34:48 2007
New Revision: 28072
URL: http://svn.reactos.org/svn/reactos?rev=28072&view=rev
Log:
Fix buffer overflow bug in mkdir command
See issue #2499 for more details.
Modified:
    trunk/reactos/base/shell/cmd/internal.c
Modified: trunk/reactos/base/shell/cmd/internal.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/internal.c?r...
==============================================================================

--- trunk/reactos/base/shell/cmd/internal.c (original)
+++ trunk/reactos/base/shell/cmd/internal.c Wed Aug  1 17:34:48 2007
@@ -463,7 +463,7 @@
 {
    LPTSTR dir;		/* pointer to the directory to change to */
    LPTSTR place;	/* used to search for the \ when no space is used */
-	LPTSTR *p = NULL;
+	LPTSTR new_dir, *p = NULL;
    INT argc;
    nErrorLevel = 0;
    if (!_tcsncmp (param, _T("/?"), 2))
@@ -482,7 +482,13 @@
    			break;
if (*place)
-			dir = place;
+		{
+			argc = 0;
+			if (add_entry(&argc, &p, place))
+				dir = place;
+			else
+				dir = NULL;
+		}
    	else
    		/* signal that there are no parameters */
    		dir = NULL;
@@ -512,7 +518,14 @@
/* Add a \ at the end of the path is there isnt on already */
    if (dir[_tcslen (dir) - 1] != _T('\'))
-		_tcscat(dir,_T("\"));
+	{
+		new_dir = cmd_realloc(dir, (_tcslen (dir) + 2) * sizeof(TCHAR));
+		if (new_dir != NULL)
+		{
+			p[0] = dir = new_dir;
+			_tcscat(dir,_T("\"));
+		}
+	}
if (!MakeFullPath(dir))
     {

    