Fierelier/notepad-plus-plus-legacy
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[EU-FOSSA] Fix stack buffer overflow on LB_GETTEXT

Browse Source
This commit is contained in:
Don HO 2019-02-08 22:13:12 +01:00
parent cdd13ecadc
commit 0438447194
5 changed files with 80 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
PowerEditor/src/MISC/RegExt/regExtDlg.cpp
View File

@ -149,6 +149,10 @@ INT_PTR CALLBACK RegExtDlg::run_dlgProc(UINT Message, WPARAM wParam, LPARAM lPar
if (!_isCustomize) if (!_isCustomize)
{ {
auto index2Add = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_GETCURSEL, 0, 0); auto index2Add = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_GETCURSEL, 0, 0);
auto lbTextLen = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_GETTEXTLEN, index2Add, 0);
if (lbTextLen > extNameMax - 1)
return TRUE;
::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_GETTEXT, index2Add, reinterpret_cast<LPARAM>(ext2Add)); ::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_GETTEXT, index2Add, reinterpret_cast<LPARAM>(ext2Add));
addExt(ext2Add); addExt(ext2Add);
::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_DELETESTRING, index2Add, 0); ::SendDlgItemMessage(_hSelf, IDC_REGEXT_LANGEXT_LIST, LB_DELETESTRING, index2Add, 0);
@ -171,6 +175,10 @@ INT_PTR CALLBACK RegExtDlg::run_dlgProc(UINT Message, WPARAM wParam, LPARAM lPar
{ {
TCHAR ext2Sup[extNameMax] = TEXT(""); TCHAR ext2Sup[extNameMax] = TEXT("");
auto index2Sup = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_GETCURSEL, 0, 0); auto index2Sup = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_GETCURSEL, 0, 0);
auto lbTextLen = ::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_GETTEXTLEN, index2Sup, 0);
if (lbTextLen > extNameMax - 1)
return TRUE;
::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_GETTEXT, index2Sup, reinterpret_cast<LPARAM>(ext2Sup)); ::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_GETTEXT, index2Sup, reinterpret_cast<LPARAM>(ext2Sup));
if (deleteExts(ext2Sup)) if (deleteExts(ext2Sup))
::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_DELETESTRING, index2Sup, 0); ::SendDlgItemMessage(_hSelf, IDC_REGEXT_REGISTEREDEXTS_LIST, LB_DELETESTRING, index2Sup, 0);
@ -222,7 +230,12 @@ INT_PTR CALLBACK RegExtDlg::run_dlgProc(UINT Message, WPARAM wParam, LPARAM lPar
{ {
if (i != LB_ERR) if (i != LB_ERR)
{ {
TCHAR itemName[32]; const size_t itemNameLen = 32;
TCHAR itemName[itemNameLen + 1];
auto lbTextLen = ::SendDlgItemMessage(_hSelf, LOWORD(wParam), LB_GETTEXTLEN, i, 0);
if (lbTextLen > itemNameLen)
return TRUE;
::SendDlgItemMessage(_hSelf, LOWORD(wParam), LB_GETTEXT, i, reinterpret_cast<LPARAM>(itemName)); ::SendDlgItemMessage(_hSelf, LOWORD(wParam), LB_GETTEXT, i, reinterpret_cast<LPARAM>(itemName));
if (!generic_stricmp(defExtArray[nbSupportedLang-1][0], itemName)) if (!generic_stricmp(defExtArray[nbSupportedLang-1][0], itemName))

20
PowerEditor/src/WinControls/ColourPicker/WordStyleDlg.cpp
View File

@ -494,7 +494,12 @@ int WordStyleDlg::whichTabColourIndex()
auto i = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETCURSEL, 0, 0); auto i = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETCURSEL, 0, 0);
if (i == LB_ERR) if (i == LB_ERR)
return -1; return -1;
TCHAR styleName[128]; const size_t styleNameLen = 128;
TCHAR styleName[styleNameLen + 1];
auto lbTextLen = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXTLEN, i, 0);
if (lbTextLen > styleNameLen)
return -1;
::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(styleName)); ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(styleName));
if (lstrcmp(styleName, TABBAR_ACTIVEFOCUSEDINDCATOR) == 0) if (lstrcmp(styleName, TABBAR_ACTIVEFOCUSEDINDCATOR) == 0)
@ -709,19 +714,28 @@ void WordStyleDlg::setVisualFromStyleList()
//bool showWarning = ((_currentLexerIndex == 0) && (style._styleID == STYLE_DEFAULT));//?SW_SHOW:SW_HIDE; //bool showWarning = ((_currentLexerIndex == 0) && (style._styleID == STYLE_DEFAULT));//?SW_SHOW:SW_HIDE;
COLORREF c = RGB(0x00, 0x00, 0xFF); COLORREF c = RGB(0x00, 0x00, 0xFF);
TCHAR str[256]; const size_t strLen = 256;
TCHAR str[strLen + 1];
str[0] = '\0'; str[0] = '\0';
auto i = ::SendDlgItemMessage(_hSelf, IDC_LANGUAGES_LIST, LB_GETCURSEL, 0, 0); auto i = ::SendDlgItemMessage(_hSelf, IDC_LANGUAGES_LIST, LB_GETCURSEL, 0, 0);
if (i == LB_ERR) if (i == LB_ERR)
return; return;
auto lbTextLen = ::SendDlgItemMessage(_hSelf, IDC_LANGUAGES_LIST, LB_GETTEXTLEN, i, 0);
if (lbTextLen > strLen)
return;
::SendDlgItemMessage(_hSelf, IDC_LANGUAGES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(str)); ::SendDlgItemMessage(_hSelf, IDC_LANGUAGES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(str));
i = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETCURSEL, 0, 0); i = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETCURSEL, 0, 0);
if (i == LB_ERR) if (i == LB_ERR)
return; return;
TCHAR styleName[64]; const size_t styleNameLen = 64;
TCHAR styleName[styleNameLen + 1];
lbTextLen = ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXTLEN, i, 0);
if (lbTextLen > styleNameLen)
return;
::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(styleName)); ::SendDlgItemMessage(_hSelf, IDC_STYLES_LIST, LB_GETTEXT, i, reinterpret_cast<LPARAM>(styleName));
lstrcat(lstrcat(str, TEXT(" : ")), styleName); lstrcat(lstrcat(str, TEXT(" : ")), styleName);

37
PowerEditor/src/WinControls/Grid/BabyGrid.cpp
View File

@ -1323,7 +1323,8 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
int wmId, wmEvent; int wmId, wmEvent;
PAINTSTRUCT ps; PAINTSTRUCT ps;
HDC hdc; HDC hdc;
TCHAR buffer[1000]; const size_t bufferLen = 1000;
TCHAR buffer[bufferLen];
int SelfIndex; int SelfIndex;
int ReturnValue; int ReturnValue;
HMENU SelfMenu; HMENU SelfMenu;
@ -1556,6 +1557,10 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
if(FindResult != LB_ERR) if(FindResult != LB_ERR)
{ {
//it was found, get the text, modify text delete it from list, add modified to list //it was found, get the text, modify text delete it from list, add modified to list
auto lbTextLen = ::SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXTLEN, FindResult, 0);
if (lbTextLen > bufferLen)
return TRUE;
SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer)); SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer));
if((BOOL)lParam) if((BOOL)lParam)
{ {
@ -1679,6 +1684,9 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
int j = static_cast<int32_t>(SendMessage(BGHS[SelfIndex].hlist1, LB_GETCOUNT, 0, 0)); int j = static_cast<int32_t>(SendMessage(BGHS[SelfIndex].hlist1, LB_GETCOUNT, 0, 0));
if(j>0) if(j>0)
{ {
auto lbTextLen = ::SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXTLEN, j-1, 0);
if (lbTextLen > bufferLen)
return TRUE;
SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, j - 1, reinterpret_cast<LPARAM>(buffer)); SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, j - 1, reinterpret_cast<LPARAM>(buffer));
buffer[5]=0x00; buffer[5]=0x00;
j=generic_atoi(buffer); j=generic_atoi(buffer);
@ -1779,6 +1787,9 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
if(FindResult != LB_ERR) if(FindResult != LB_ERR)
{ {
//it was found, get it //it was found, get it
auto lbTextLen = ::SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXTLEN, FindResult, 0);
if (lbTextLen > bufferLen)
return TRUE;
SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer)); SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer));
switch (buffer[10]) // no need to call BGM_GETPROTECTION separately for this switch (buffer[10]) // no need to call BGM_GETPROTECTION separately for this
{ {
@ -1935,6 +1946,9 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
if(FindResult != LB_ERR) if(FindResult != LB_ERR)
{ {
//it was found, get it //it was found, get it
auto lbTextLen = ::SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXTLEN, FindResult, 0);
if (lbTextLen > bufferLen)
return TRUE;
SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer)); SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer));
switch (buffer[11]) switch (buffer[11])
{ {
@ -1964,6 +1978,9 @@ LRESULT CALLBACK GridProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
if(FindResult != LB_ERR) if(FindResult != LB_ERR)
{ {
//it was found, get it //it was found, get it
auto lbTextLen = ::SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXTLEN, FindResult, 0);
if (lbTextLen > bufferLen)
return TRUE;
SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer)); SendMessage(BGHS[SelfIndex].hlist1, LB_GETTEXT, FindResult, reinterpret_cast<LPARAM>(buffer));
switch (buffer[10]) switch (buffer[10])
{ {
@ -3149,9 +3166,10 @@ int BinarySearchListBox(HWND lbhWnd,TCHAR* searchtext)
int lbcount; int lbcount;
int head,tail,finger; int head,tail,finger;
int FindResult; int FindResult;
TCHAR tbuffer[1000]; const size_t bufLen = 1000;
TCHAR headtext[1000]; TCHAR tbuffer[bufLen];
TCHAR tailtext[1000]; TCHAR headtext[bufLen];
TCHAR tailtext[bufLen];
int p; int p;
BOOL FOUND; BOOL FOUND;
@ -3176,6 +3194,10 @@ int BinarySearchListBox(HWND lbhWnd,TCHAR* searchtext)
tail = lbcount - 1; tail = lbcount - 1;
//is it the head? //is it the head?
auto lbTextLen = ::SendMessage(lbhWnd, LB_GETTEXTLEN, head, 0);
if (lbTextLen > bufLen)
return 0;
SendMessage(lbhWnd, LB_GETTEXT, head, reinterpret_cast<LPARAM>(headtext)); SendMessage(lbhWnd, LB_GETTEXT, head, reinterpret_cast<LPARAM>(headtext));
headtext[9] = 0x00; headtext[9] = 0x00;
@ -3196,6 +3218,9 @@ int BinarySearchListBox(HWND lbhWnd,TCHAR* searchtext)
//is it the tail? //is it the tail?
lbTextLen = ::SendMessage(lbhWnd, LB_GETTEXTLEN, tail, 0);
if (lbTextLen > bufLen)
return 0;
SendMessage(lbhWnd, LB_GETTEXT, tail, reinterpret_cast<LPARAM>(tailtext)); SendMessage(lbhWnd, LB_GETTEXT, tail, reinterpret_cast<LPARAM>(tailtext));
tailtext[9] = 0x00; tailtext[9] = 0x00;
p=lstrcmp(searchtext,tailtext); p=lstrcmp(searchtext,tailtext);
@ -3220,7 +3245,9 @@ int BinarySearchListBox(HWND lbhWnd,TCHAR* searchtext)
while((!FOUND)&&((tail-head)>1)) while((!FOUND)&&((tail-head)>1))
{ {
finger = head + ((tail - head) / 2); finger = head + ((tail - head) / 2);
lbTextLen = ::SendMessage(lbhWnd, LB_GETTEXTLEN, finger, 0);
if (lbTextLen > bufLen)
return 0;
SendMessage(lbhWnd, LB_GETTEXT, finger, reinterpret_cast<LPARAM>(tbuffer)); SendMessage(lbhWnd, LB_GETTEXT, finger, reinterpret_cast<LPARAM>(tbuffer));
tbuffer[9] = 0x00; tbuffer[9] = 0x00;
p=lstrcmp(tbuffer,searchtext); p=lstrcmp(tbuffer,searchtext);

18
PowerEditor/src/WinControls/Preference/preferenceDlg.cpp
View File

@ -258,12 +258,19 @@ int32_t PreferenceDlg::getIndexFromName(const TCHAR *name) const
return -1; return -1;
} }
void PreferenceDlg::setListSelection(size_t currentSel) const bool PreferenceDlg::setListSelection(size_t currentSel) const
{ {
// Stupid LB API doesn't allow LB_SETSEL to be used on single select listbox, so we do it in a hard way // Stupid LB API doesn't allow LB_SETSEL to be used on single select listbox, so we do it in a hard way
TCHAR selStr[256]; const size_t selStrLenMax = 255;
TCHAR selStr[selStrLenMax + 1];
auto lbTextLen = ::SendMessage(_hSelf, LB_GETTEXTLEN, currentSel, 0);
if (lbTextLen > selStrLenMax)
return false;
::SendDlgItemMessage(_hSelf, IDC_LIST_DLGTITLE, LB_GETTEXT, currentSel, reinterpret_cast<LPARAM>(selStr)); ::SendDlgItemMessage(_hSelf, IDC_LIST_DLGTITLE, LB_GETTEXT, currentSel, reinterpret_cast<LPARAM>(selStr));
::SendDlgItemMessage(_hSelf, IDC_LIST_DLGTITLE, LB_SELECTSTRING, currentSel, reinterpret_cast<LPARAM>(selStr)); ::SendDlgItemMessage(_hSelf, IDC_LIST_DLGTITLE, LB_SELECTSTRING, currentSel, reinterpret_cast<LPARAM>(selStr));
return true;
} }
bool PreferenceDlg::renameDialogTitle(const TCHAR *internalName, const TCHAR *newName) bool PreferenceDlg::renameDialogTitle(const TCHAR *internalName, const TCHAR *newName)
@ -1755,7 +1762,12 @@ INT_PTR CALLBACK LangMenuDlg::run_dlgProc(UINT message, WPARAM wParam, LPARAM lP
if (iRemove == -1) if (iRemove == -1)
return TRUE; return TRUE;
TCHAR s[32]; const size_t sL = 31;
TCHAR s[sL + 1];
auto lbTextLen = ::SendDlgItemMessage(_hSelf, list2Remove, LB_GETTEXTLEN, iRemove, 0);
if (lbTextLen > sL)
return TRUE;
::SendDlgItemMessage(_hSelf, list2Remove, LB_GETTEXT, iRemove, reinterpret_cast<LPARAM>(s)); ::SendDlgItemMessage(_hSelf, list2Remove, LB_GETTEXT, iRemove, reinterpret_cast<LPARAM>(s));
LangMenuItem lmi = pSrcLst->at(iRemove); LangMenuItem lmi = pSrcLst->at(iRemove);

2
PowerEditor/src/WinControls/Preference/preferenceDlg.h
View File

@ -249,7 +249,7 @@ public :
}; };
void showDialogByName(const TCHAR *name) const; void showDialogByName(const TCHAR *name) const;
void setListSelection(size_t currentSel) const; bool setListSelection(size_t currentSel) const;
virtual void destroy(); virtual void destroy();