From e8ce99792ea117316a9b2f95fba1fdf20bc48b7f Mon Sep 17 00:00:00 2001 From: Dmitry Timoshkov Date: Thu, 14 Sep 2023 15:14:38 +0300 Subject: [PATCH] kernel32: Add ACTCTX field limit checks to CreateActCtxA(). Signed-off-by: Dmitry Timoshkov --- dlls/kernel32/process.c | 10 +++++++++- dlls/kernel32/tests/actctx.c | 2 -- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c index e9e18925911..d56118a0fe3 100644 --- a/dlls/kernel32/process.c +++ b/dlls/kernel32/process.c @@ -422,11 +422,19 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx ) TRACE("%p %08lx\n", actctx, actctx ? actctx->dwFlags : 0); - if (!actctx || actctx->cbSize != sizeof(*actctx)) +#define CHECK_LIMIT( field ) (actctx->cbSize >= RTL_SIZEOF_THROUGH_FIELD( ACTCTXA, field )) + if (!actctx || !CHECK_LIMIT( lpSource ) || + ((actctx->dwFlags & ACTCTX_FLAG_PROCESSOR_ARCHITECTURE_VALID) && !CHECK_LIMIT( wProcessorArchitecture )) || + ((actctx->dwFlags & ACTCTX_FLAG_LANGID_VALID) && !CHECK_LIMIT( wLangId )) || + ((actctx->dwFlags & ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID) && !CHECK_LIMIT( lpAssemblyDirectory )) || + ((actctx->dwFlags & ACTCTX_FLAG_RESOURCE_NAME_VALID) && !CHECK_LIMIT( lpResourceName )) || + ((actctx->dwFlags & ACTCTX_FLAG_APPLICATION_NAME_VALID) && !CHECK_LIMIT( lpApplicationName )) || + ((actctx->dwFlags & ACTCTX_FLAG_HMODULE_VALID) && !CHECK_LIMIT( hModule ))) { SetLastError(ERROR_INVALID_PARAMETER); return INVALID_HANDLE_VALUE; } +#undef CHECK_LIMIT actw.cbSize = sizeof(actw); actw.dwFlags = actctx->dwFlags; diff --git a/dlls/kernel32/tests/actctx.c b/dlls/kernel32/tests/actctx.c index abfbe633c03..56211c46040 100644 --- a/dlls/kernel32/tests/actctx.c +++ b/dlls/kernel32/tests/actctx.c @@ -2895,7 +2895,6 @@ static void test_CreateActCtx(void) handle = CreateActCtxA(&actctx); if (!test[i].error) { - todo_wine ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError()); ReleaseActCtx(handle); } @@ -2910,7 +2909,6 @@ static void test_CreateActCtx(void) actctx.lpSource = source; /* source without hModule must point to valid PE */ SetLastError(0xdeadbeef); handle = CreateActCtxA(&actctx); - todo_wine_if(i != 4) ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError()); ReleaseActCtx(handle);