Bug 139764 - buffer overflow parsing plugin information
Summary: buffer overflow parsing plugin information
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Windows 7
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-17 21:43 PST by Bevan Collins
Modified: 2016-03-22 09:56 PDT (History)
1 user (show)

See Also:

Attachments
patch (288 bytes, patch)
2014-12-17 21:43 PST, Bevan Collins 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bevan Collins 2014-12-17 21:43:44 PST 
Created attachment 243481 [details]
patch

getVersionInfo in PluginPackageWin.cpp has a buffer overflow. VerQueryValueW returns the size of the buffer in bytes, not TCHARs for translation values
Comment 1 Brent Fulgham 2016-03-22 09:56:49 PDT 
Thank you for taking the time to report this issue, but the proposed patch is not correct.

According to MSDN <https://msdn.microsoft.com/en-us/library/windows/desktop/ms647464(v=vs.85).aspx>, puLen is defined as "for version information values, the length in characters of the string stored at lplpBuffer". Since we are only retrieving version information content, not translation array or root block values, the character count is the correct size.

Since we are calling the wide-character variant of VerQueryValue (VerQueryValueW), the value we get back is a buffer of UCHAR, and the count is the number of these UCHAR characters.