https://git.reactos.org/?p=reactos.git;a=commitdiff;h=ff63ef3c55b8279600845… commit ff63ef3c55b82796008453d049bc50df80b4c4a6 Author: Thomas Faber <thomas.faber(a)reactos.org> AuthorDate: Sun Aug 5 12:57:25 2018 +0200 Commit: Thomas Faber <thomas.faber(a)reactos.org> CommitDate: Sun Aug 5 12:58:35 2018 +0200 [MSCONFIG] Fix buffer overflow when handling long service command lines. --- base/applications/msconfig/srvpage.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/base/applications/msconfig/srvpage.c b/base/applications/msconfig/srvpage.c index 4acdf2523e..044a512bab 100644 --- a/base/applications/msconfig/srvpage.c +++ b/base/applications/msconfig/srvpage.c @@ -233,14 +233,23 @@ GetServices ( void ) } } - memset(&FileName, 0, MAX_PATH); - if (_tcscspn(pServiceConfig->lpBinaryPathName, _T("\""))) + if (pServiceConfig->lpBinaryPathName[0] != _T('"')) { - _tcsncpy(FileName, pServiceConfig->lpBinaryPathName, _tcscspn(pServiceConfig->lpBinaryPathName, _T(" ")) ); + /* Assume everything before the first space is the binary path */ + /* FIXME: This is a reasonable heuristic but some + * services use unquoted paths with spaces */ + StringCchCopyN(FileName, + _countof(FileName), + pServiceConfig->lpBinaryPathName, + _tcscspn(pServiceConfig->lpBinaryPathName, _T(" "))); } else { - _tcscpy(FileName, pServiceConfig->lpBinaryPathName); + /* Binary path is inside the quotes */ + StringCchCopyN(FileName, + _countof(FileName), + pServiceConfig->lpBinaryPathName + 1, + _tcscspn(pServiceConfig->lpBinaryPathName + 1, _T("\""))); } HeapFree(GetProcessHeap(), 0, pServiceConfig);