https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b4575eccd77c37eb1c313… commit b4575eccd77c37eb1c3132660c288e91ac378ed9 Author: Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com> AuthorDate: Fri Sep 16 17:59:48 2022 +0900 Commit: Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com> CommitDate: Fri Sep 16 18:01:19 2022 +0900 [USER32] Don't allow invalid 'IME File' values Improve security. CORE-11700 --- win32ss/user/user32/windows/input.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/win32ss/user/user32/windows/input.c b/win32ss/user/user32/windows/input.c index a9aac9e82a3..39ad3ab951f 100644 --- a/win32ss/user/user32/windows/input.c +++ b/win32ss/user/user32/windows/input.c @@ -801,7 +801,11 @@ IntLoadKeyboardLayout( { WCHAR szPath[MAX_PATH]; GetSystemLibraryPath(szPath, _countof(szPath), szImeFileName); - if (GetFileAttributesW(szPath) == INVALID_FILE_ATTRIBUTES) /* Does not exist? */ + + /* We don't allow the invalid "IME File" values for security reason */ + if (dwType != REG_SZ || szImeFileName[0] == 0 || + wcsspn(szImeFileName, L":\\/") != wcslen(szImeFileName) || + GetFileAttributesW(szPath) == INVALID_FILE_ATTRIBUTES) /* Does not exist? */ { bIsIME = FALSE; wHigh = 0;