Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overflow in GetRawInputDeviceInfo proxy #4268

Merged
merged 1 commit into from
Sep 29, 2024
Merged

Fix buffer overflow in GetRawInputDeviceInfo proxy #4268

merged 1 commit into from
Sep 29, 2024

Conversation

marti4d
Copy link
Contributor

@marti4d marti4d commented Sep 27, 2024

The proxy for GetRawInputDeviceInfo() incorrectly assumes that pcbSize is always in wchars when unicode is used, which is only true if the name of the device is being queried (uiCommand == RIDI_DEVICENAME).

Otherwise, it is the exact size of the buffer in bytes. Right now, that means that the proxy will write double the number of bytes it's supposed to for the other uiCommand values, potentially causing a buffer overflow.

Also, when no pData value is given, *pcbSize is allowed to be uninitialized. The proxy currently reads it unconditionally as a UINT, which would be UB in that case. memcpy is able to safely copy uninitialized values, so let's use that instead!

Fixes #4267

@marti4d
Fix buffer overflow in GetRawInputDeviceInfo proxy
f20fc93 
The proxy for GetRawInputDeviceInfo() incorrectly assumes that pcbSize
is always in wchars when unicode is used, which is only true if the
name of the device is being queried (`uiCommand == RIDI_DEVICENAME`).

Otherwise, it is the exact size of the buffer in bytes. Right now,
that means that the proxy will write double the number of bytes it's
supposed to for the other `uiCommand` values, potentially causing a
buffer overflow.

Also, when no `pData` value is given, `*pcbSize` is allowed to be
uninitialized. The proxy currently reads it unconditionally as a UINT,
which would be UB in that case. `memcpy` is able to safely copy
uninitialized values, so let's use that instead!
@marti4d marti4d marked this pull request as draft September 27, 2024 15:04
@marti4d
Copy link
Contributor Author

marti4d commented Sep 27, 2024

Warning -- I haven't done any testing with this patch, so it should not be merged until somebody verifies that it works.

@DavidXanatos
Copy link
Member

Is the patch still work in progress or does it only missing some testing?

@marti4d
Copy link
Contributor Author

marti4d commented Sep 27, 2024

@DavidXanatos It's only missing testing -- I just set it to "draft" so it would not be accidentally merged until someone has verified that it works.

@marti4d marti4d marked this pull request as ready for review September 27, 2024 18:23
@DavidXanatos
Copy link
Member

ok great I'll merge and debug it

@DavidXanatos DavidXanatos merged commit fbafb1f into sandboxie-plus:master Sep 29, 2024
5 checks passed
@DavidXanatos
Copy link
Member

one issue i see already ULONG status; mist always be the first fiels in a reply structure even if it appears unused

isaak654 referenced this pull request Sep 29, 2024
@DavidXanatos
1.14.10
3878f30
@marti4d marti4d deleted the fix_get_raw_input_device_info branch September 30, 2024 14:31
isaak654 referenced this pull request Oct 1, 2024
@DavidXanatos
1.14.10
23f4078
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proxy for GetRawInputDeviceInfoW() causes a buffer overflow
2 participants
@marti4d @DavidXanatos