WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
139764
buffer overflow parsing plugin information
https://bugs.webkit.org/show_bug.cgi?id=139764
Summary
buffer overflow parsing plugin information
Bevan Collins
Reported
2014-12-17 21:43:44 PST
Created
attachment 243481
[details]
patch getVersionInfo in PluginPackageWin.cpp has a buffer overflow. VerQueryValueW returns the size of the buffer in bytes, not TCHARs for translation values
Attachments
patch
(288 bytes, patch)
2014-12-17 21:43 PST
,
Bevan Collins
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Brent Fulgham
Comment 1
2016-03-22 09:56:49 PDT
Thank you for taking the time to report this issue, but the proposed patch is not correct. According to MSDN <
https://msdn.microsoft.com/en-us/library/windows/desktop/ms647464(v=vs.85).aspx
>, puLen is defined as "for version information values, the length in characters of the string stored at lplpBuffer". Since we are only retrieving version information content, not translation array or root block values, the character count is the correct size. Since we are calling the wide-character variant of VerQueryValue (VerQueryValueW), the value we get back is a buffer of UCHAR, and the count is the number of these UCHAR characters.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug