[hbelusca] 71913: [CONSRV] - Fix potential Out-of-bounds access during string copy/concatenation. CID 1322098. - Fix check for NULL after potential dereference. CID 1322175. - Ros-diffs

13 Jul 2016

Author: hbelusca
Date: Wed Jul 13 00:06:09 2016
New Revision: 71913

URL: http://svn.reactos.org/svn/reactos?rev=71913&view=rev
Log:
[CONSRV]
- Fix potential Out-of-bounds access during string copy/concatenation. CID 1322098.
- Fix check for NULL after potential dereference. CID 1322175.

Modified:
    trunk/reactos/win32ss/user/winsrv/concfg/settings.c
    trunk/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c

Modified: trunk/reactos/win32ss/user/winsrv/concfg/settings.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/winsrv/concfg…
==============================================================================

--- trunk/reactos/win32ss/user/winsrv/concfg/settings.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/winsrv/concfg/settings.c	[iso-8859-1] Wed Jul 13 00:06:09
2016
@@ -102,13 +102,12 @@
     wLength = GetWindowsDirectoryW(DestString, MaxStrLen);
     if ((wLength > 0) && (_wcsnicmp(ConsoleName, DestString, wLength) == 0))
     {
-        wcsncpy(DestString, L"%SystemRoot%", MaxStrLen);
-        // FIXME: Fix possible buffer overflows there !!!!!
-        wcsncat(DestString, ConsoleName + wLength, MaxStrLen);
+        StringCchCopyW(DestString, MaxStrLen, L"%SystemRoot%");
+        StringCchCatW(DestString, MaxStrLen, ConsoleName + wLength);
     }
     else
     {
-        wcsncpy(DestString, ConsoleName, MaxStrLen);
+        StringCchCopyW(DestString, MaxStrLen, ConsoleName);
     }
 
     /* Replace path separators (backslashes) by underscores */
@@ -155,10 +154,10 @@
      * to make the registry happy, replace all the
      * backslashes by underscores.
      */
-    TranslateConsoleName(szBuffer2, ConsoleTitle, MAX_PATH);
+    TranslateConsoleName(szBuffer2, ConsoleTitle, ARRAYSIZE(szBuffer2));
 
     /* Create the registry path */
-    wcsncat(szBuffer, szBuffer2, MAX_PATH - wcslen(szBuffer) - 1);
+    StringCchCatW(szBuffer, MAX_PATH - wcslen(szBuffer) - 1, szBuffer2);
 
     /* Create or open the registry key */
     if (Create)

Modified: trunk/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/winsrv/consrv…
==============================================================================
--- trunk/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c	[iso-8859-1]
(original)
+++ trunk/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c	[iso-8859-1] Wed Jul
13 00:06:09 2016
@@ -1455,24 +1455,22 @@
 {
     PGUI_CONSOLE_DATA GuiData = GuiGetGuiData(hWnd);
 
-    if (GuiData->IsWindowVisible)
-    {
-        KillTimer(hWnd, CONGUI_UPDATE_TIMER);
-    }
+    /* Free the GuiData registration */
+    SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
 
     GetSystemMenu(hWnd, TRUE);
 
     if (GuiData)
     {
+        if (GuiData->IsWindowVisible)
+            KillTimer(hWnd, CONGUI_UPDATE_TIMER);
+
         /* Free the terminal framebuffer */
         if (GuiData->hMemDC ) DeleteDC(GuiData->hMemDC);
         if (GuiData->hBitmap) DeleteObject(GuiData->hBitmap);
         // if (GuiData->hSysPalette) DeleteObject(GuiData->hSysPalette);
         DeleteFonts(GuiData);
     }
-
-    /* Free the GuiData registration */
-    SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
 
     return DefWindowProcW(hWnd, WM_NCDESTROY, 0, 0);
 }



    