[vdagent-win PATCH 11/13] Fix some minor buffer overflows reading registry informations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Strings in the registry can be not NUL-terminated.
Current code to make sure they are NUL-terminated can add an extra
NUL character at the end of the buffer.
Also RegQueryValueEx returns the number of bytes read, not the number
of characters so the value must be fixed to avoid overflows.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 vdagent/display_setting.cpp | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/vdagent/display_setting.cpp b/vdagent/display_setting.cpp
index 25a248e..5585bb5 100644
--- a/vdagent/display_setting.cpp
+++ b/vdagent/display_setting.cpp
@@ -285,7 +285,7 @@ bool DisplaySetting::disable_wallpaper()
 bool DisplaySetting::reload_wallpaper(HKEY desktop_reg_key)
 {
     TCHAR wallpaper_path[MAX_PATH + 1];
-    DWORD value_size = sizeof(wallpaper_path);
+    DWORD value_size = sizeof(wallpaper_path) - sizeof(wallpaper_path[0]);
     DWORD value_type;
     LONG status;
     TCHAR cur_wallpaper[MAX_PATH + 1];
@@ -303,7 +303,8 @@ bool DisplaySetting::reload_wallpaper(HKEY desktop_reg_key)
         return false;
     }
 
-    if (wallpaper_path[value_size - 1] != '\0') {
+    value_size /= sizeof(wallpaper_path[0]);
+    if (!value_size || wallpaper_path[value_size - 1] != '\0') {
         wallpaper_path[value_size] = '\0';
     }
 
@@ -338,8 +339,8 @@ bool DisplaySetting::disable_font_smoothing()
 
 bool DisplaySetting::reload_font_smoothing(HKEY desktop_reg_key)
 {
-    CHAR smooth_value[4];
-    DWORD value_size = sizeof(smooth_value);
+    CHAR smooth_value[4+1];
+    DWORD value_size = sizeof(smooth_value)-1;
     DWORD value_type;
     LONG status;
     BOOL cur_font_smooth;
@@ -357,7 +358,7 @@ bool DisplaySetting::reload_font_smoothing(HKEY desktop_reg_key)
         return false;
     }
 
-    if (smooth_value[value_size - 1] != '\0') {
+    if (!value_size || smooth_value[value_size - 1] != '\0') {
         smooth_value[value_size] = '\0';
     }
 
@@ -411,8 +412,8 @@ bool DisplaySetting::disable_animation()
 bool DisplaySetting::reload_win_animation(HKEY desktop_reg_key)
 {
     HKEY win_metrics_hkey;
-    CHAR win_anim_value[4];
-    DWORD value_size = sizeof(win_anim_value);
+    CHAR win_anim_value[4+1];
+    DWORD value_size = sizeof(win_anim_value)-1;
     DWORD value_type;
     LONG status;
     ANIMATIONINFO active_win_animation;
@@ -441,7 +442,7 @@ bool DisplaySetting::reload_win_animation(HKEY desktop_reg_key)
         return false;
     }
 
-    if (win_anim_value[value_size - 1] != '\0') {
+    if (!value_size || win_anim_value[value_size - 1] != '\0') {
         win_anim_value[value_size] = '\0';
     }
 
-- 
2.17.0

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]