[ros-diffs] [janderwald] 32822: - avoid buffer overflow in copy command argument handling See issue #3108 for more details.
janderwald at svn.reactos.org
janderwald at svn.reactos.org
Wed Apr 2 20:51:37 CEST 2008
Author: janderwald
Date: Wed Apr 2 13:51:36 2008
New Revision: 32822
URL: http://svn.reactos.org/svn/reactos?rev=32822&view=rev
Log:
- avoid buffer overflow in copy command argument handling
See issue #3108 for more details.
Modified:
trunk/reactos/base/shell/cmd/copy.c
Modified: trunk/reactos/base/shell/cmd/copy.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/copy.c?rev=32822&r1=32821&r2=32822&view=diff
==============================================================================
--- trunk/reactos/base/shell/cmd/copy.c [iso-8859-1] (original)
+++ trunk/reactos/base/shell/cmd/copy.c [iso-8859-1] Wed Apr 2 13:51:36 2008
@@ -485,6 +485,7 @@
LoadString(CMD_ModuleHandle, STRING_ERROR_INVALID_SWITCH, szMsg, RC_STRING_MAX_SIZE);
ConOutPrintf(szMsg, _totupper(arg[i][1]));
nErrorLevel = 1;
+ freep (arg);
return 1;
break;
}
@@ -504,8 +505,19 @@
/* Add these onto the source string
this way we can do all checks
directly on source string later on */
- _tcscat(arg[nSrc],arg[i]);
- nFiles--;
+ TCHAR * ptr;
+ int length = (_tcslen(arg[nSrc]) +_tcslen(arg[i]) + _tcslen(arg[i+1]) + 1) * sizeof(TCHAR);
+ ptr = cmd_alloc(length);
+ if (ptr)
+ {
+ _tcscpy(ptr, arg[nSrc]);
+ _tcscat(ptr, arg[i]);
+ _tcscat(ptr, arg[i+1]);
+ cmd_free(arg[nSrc]);
+ arg[nSrc] = ptr;
+ i++;
+ nFiles -= 2;
+ }
}
else if(nDes == -1)
{
More information about the Ros-diffs
mailing list