[reactos] 01/01: Fix buffer read past end problem. (#5146) - Ros-diffs

15 Mar 2023

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=cce3eb93931163db4e4636...
commit cce3eb93931163db4e463650e6f44e451e77a239
Author:     Doug Lyons douglyons@douglyons.com
AuthorDate: Tue Mar 14 20:57:54 2023 -0500
Commit:     GitHub noreply@github.com
CommitDate: Wed Mar 15 10:57:54 2023 +0900
Fix buffer read past end problem. (#5146)
Fixes crashes in regedit-find affecting CORE-15896 and CORE-18230. After possible RegQueryValueExW append 3 zero bytes to guarantee that we will end with a UNICODE NULL.
---
 base/applications/regedit/find.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/applications/regedit/find.c b/base/applications/regedit/find.c
index df5c0959347..c970a53cf51 100644
--- a/base/applications/regedit/find.c
+++ b/base/applications/regedit/find.c
@@ -223,7 +223,7 @@ BOOL RegFindRecurse(
                                   NULL, &cb);
         if (lResult != ERROR_SUCCESS)
             goto err;
-        pb = malloc(cb);
+        pb = malloc(cb + 3); /* To avoid buffer overrun, append 3 NULs */
         if (pb == NULL)
             goto err;
         lResult = RegQueryValueExW(hSubKey, ppszNames[i], NULL, &type,
@@ -231,6 +231,11 @@ BOOL RegFindRecurse(
         if (lResult != ERROR_SUCCESS)
             goto err;
+        /* To avoid buffer overrun, append 3 NUL bytes.
+           NOTE: cb can be an odd number although UNICODE_NULL is two bytes.
+           Two bytes at odd position is not enough to avoid buffer overrun. */
+        pb[cb] = pb[cb + 1] = pb[cb + 2] = 0;
+
         if ((s_dwFlags & RSF_LOOKATDATA) &&
                 CompareData(type, (LPWSTR) pb, s_szFindWhat))
         {

    