reactos/wine
1
0
Fork 0
mirror of https://github.com/reactos/wine.git synced 2025-03-03 18:28:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

advapi32: Fix stack corruption in CredIsMarshaledCredentialW.

Browse Source 
In its currrent implementation, cred_decode with input length 6 writes
6 bytes to the output buffer. This overflows the DWORD passed in
CredIsMarshaledCredentialW.
This commit is contained in:
Thomas Faber 2013-12-20 00:17:35 +01:00 committed by Alexandre Julliard
parent c810f07f40
commit f9fae1b3f6
1 changed files with 4 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
dlls/advapi32/cred.c
View File

@ -2049,7 +2049,6 @@ static BOOL cred_decode( const WCHAR *cred, unsigned int len, char *buf )
buf[i + 0] = (c1 << 6) | c0; buf[i + 0] = (c1 << 6) | c0;
buf[i + 1] = (c2 << 4) | (c1 >> 2); buf[i + 1] = (c2 << 4) | (c1 >> 2);
buf[i + 2] = c2 >> 4;
} }
else if (len == 2) else if (len == 2)
{ {
@ -2057,16 +2056,10 @@ static BOOL cred_decode( const WCHAR *cred, unsigned int len, char *buf )
if ((c1 = char_decode( p[1] )) > 63) return FALSE; if ((c1 = char_decode( p[1] )) > 63) return FALSE;
buf[i + 0] = (c1 << 6) | c0; buf[i + 0] = (c1 << 6) | c0;
buf[i + 1] = c1 >> 2;
buf[i + 2] = 0;
} }
else if (len == 1) else if (len == 1)
{ {
if ((c0 = char_decode( p[0] )) > 63) return FALSE; return FALSE;
buf[i + 0] = c0;
buf[i + 1] = 0;
buf[i + 2] = 0;
} }
return TRUE; return TRUE;
} }
@ -2090,7 +2083,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred, PCRED_MARSHAL_TYPE type, PVO
{ {
case CertCredential: case CertCredential:
{ {
char hash[CERT_HASH_LENGTH + 2]; char hash[CERT_HASH_LENGTH];
CERT_CREDENTIAL_INFO *cert; CERT_CREDENTIAL_INFO *cert;
if (len != 27 || !cred_decode( cred + 3, len, hash )) if (len != 27 || !cred_decode( cred + 3, len, hash ))
@ -2108,7 +2101,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred, PCRED_MARSHAL_TYPE type, PVO
case UsernameTargetCredential: case UsernameTargetCredential:
{ {
USERNAME_TARGET_CREDENTIAL_INFO *target; USERNAME_TARGET_CREDENTIAL_INFO *target;
ULONGLONG size = 0; DWORD size;
if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) || if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
!size || size % sizeof(WCHAR) || size > INT_MAX) !size || size % sizeof(WCHAR) || size > INT_MAX)
@ -2157,7 +2150,7 @@ BOOL WINAPI CredIsMarshaledCredentialW(LPCWSTR name)
if (name && name[0] == '@' && name[1] == '@' && name[2] > 'A' && name[3]) if (name && name[0] == '@' && name[1] == '@' && name[2] > 'A' && name[3])
{ {
char hash[CERT_HASH_LENGTH + 2]; char hash[CERT_HASH_LENGTH];
int len = strlenW(name + 3 ); int len = strlenW(name + 3 );
DWORD size; DWORD size;