Avoid buffer overflows in builtin dll loading (with the help of Dmitry

Timoshkov).
2000-09-01 01:26:16 +00:00 · 2000-09-01 01:26:16 +00:00 · 07f3844542
parent 60cf612b59
commit 07f3844542
2 changed files with 15 additions and 7 deletions
--- a/if1632/builtin.c
+++ b/if1632/builtin.c
@ -136,16 +136,19 @@ static HMODULE16 BUILTIN_DoLoadModule16( const BUILTIN16_DESCRIPTOR *descr )
 */
 HMODULE16 BUILTIN_LoadModule( LPCSTR name )
 {
-    char dllname[16], *p;
+    char dllname[20], *p;
    void *handle;
    int i;
    /* Fix the name in case we have a full path and extension */
    if ((p = strrchr( name, '\\' ))) name = p + 1;
-    lstrcpynA( dllname, name, sizeof(dllname) );
+    if ((p = strrchr( name, '/' ))) name = p + 1;
    if (strlen(name) >= sizeof(dllname)-4) return (HMODULE16)2;
    strcpy( dllname, name );
    p = strrchr( dllname, '.' );
    if (!p) strcat( dllname, ".dll" );
    for (i = 0; i < nb_dlls; i++)
--- a/relay32/builtin32.c
+++ b/relay32/builtin32.c
@ -264,15 +264,19 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
 {
    HMODULE module;
    WINE_MODREF   *wm;
-    char           dllname[MAX_PATH], *p;
+    char dllname[20], *p;
    LPCSTR name;
    void *handle;
    int i;
    /* Fix the name in case we have a full path and extension */
-    if ((p = strrchr( path, '\\' ))) p++;
+    name = path;
-    else p = (char *)path; 
+    if ((p = strrchr( name, '\\' ))) name = p + 1;
-    lstrcpynA( dllname, p, sizeof(dllname) );
+    if ((p = strrchr( name, '/' ))) name = p + 1;
    if (strlen(name) >= sizeof(dllname)-4) goto error;
    strcpy( dllname, name );
    p = strrchr( dllname, '.' );
    if (!p) strcat( dllname, ".dll" );
@ -288,6 +292,7 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
        BUILTIN32_dlclose( handle );
    }
 error:
    SetLastError( ERROR_FILE_NOT_FOUND );
    return NULL;