niansa-misc/wine
1
0
Fork 0
mirror of synced 2025-03-07 03:53:26 +01:00
Code Issues Projects Releases Packages Wiki Activity

server: Fix buffer overrun in map_view handler.

Browse source 
Because of padding at the end of the struct, sizeof(*view) is greater
than offsetof(struct memory_view, name[0]). Change the allocation to
overallocate slightly instead of underallocating slightly.
This commit is contained in:
Alex Henrie 2022-11-30 23:34:58 -07:00 committed by Alexandre Julliard
parent 4aac4e7c67
commit 94d6e616e2
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server/mapping.c
View file

@ -1212,7 +1212,7 @@ DECL_HANDLER(map_view)
if (!req->mapping) /* image mapping for a .so dll */
{
if (get_req_data_size() > sizeof(view->image)) namelen = get_req_data_size() - sizeof(view->image);
if (!(view = mem_alloc( offsetof( struct memory_view, name[namelen] )))) return;
if (!(view = mem_alloc( sizeof(struct memory_view) + namelen * sizeof(WCHAR) ))) return;
memset( view, 0, sizeof(*view) );
view->base = req->base;
view->size = req->size;