https://git.reactos.org/?p=reactos.git;a=commitdiff;h=cce3eb93931163db4e463… commit cce3eb93931163db4e463650e6f44e451e77a239 Author: Doug Lyons <douglyons(a)douglyons.com> AuthorDate: Tue Mar 14 20:57:54 2023 -0500 Commit: GitHub <noreply(a)github.com> CommitDate: Wed Mar 15 10:57:54 2023 +0900 Fix buffer read past end problem. (#5146) Fixes crashes in regedit-find affecting CORE-15896 and CORE-18230. After possible RegQueryValueExW append 3 zero bytes to guarantee that we will end with a UNICODE NULL. --- base/applications/regedit/find.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/base/applications/regedit/find.c b/base/applications/regedit/find.c index df5c0959347..c970a53cf51 100644 --- a/base/applications/regedit/find.c +++ b/base/applications/regedit/find.c @@ -223,7 +223,7 @@ BOOL RegFindRecurse( NULL, &cb); if (lResult != ERROR_SUCCESS) goto err; - pb = malloc(cb); + pb = malloc(cb + 3); /* To avoid buffer overrun, append 3 NULs */ if (pb == NULL) goto err; lResult = RegQueryValueExW(hSubKey, ppszNames[i], NULL, &type, @@ -231,6 +231,11 @@ BOOL RegFindRecurse( if (lResult != ERROR_SUCCESS) goto err; + /* To avoid buffer overrun, append 3 NUL bytes. + NOTE: cb can be an odd number although UNICODE_NULL is two bytes. + Two bytes at odd position is not enough to avoid buffer overrun. */ + pb[cb] = pb[cb + 1] = pb[cb + 2] = 0; + if ((s_dwFlags & RSF_LOOKATDATA) && CompareData(type, (LPWSTR) pb, s_szFindWhat)) {