Update of /cvsroot/pywin32/pywin32/com/win32comext/shell/src
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24878/win32comext/shell/src
Modified Files:
shell.cpp
Log Message:
Do some basic validity checks when converting a buffer to a PIDL.
Index: shell.cpp
===================================================================
RCS file: /cvsroot/pywin32/pywin32/com/win32comext/shell/src/shell.cpp,v
retrieving revision 1.45
retrieving revision 1.46
diff -C2 -d -r1.45 -r1.46
*** shell.cpp 1 Jun 2006 10:23:05 -0000 1.45
--- shell.cpp 12 Jul 2006 12:15:29 -0000 1.46
***************
*** 125,129 ****
while (pidl->mkid.cb) {
// cb includes sizeof(cb) itself - so string len is cb-sizeof(cb)
! PyObject *sub = PyString_FromStringAndSize((char *)pidl->mkid.abID, pidl->mkid.cb-sizeof(pidl->mkid.cb));
if (sub) {
PyList_Append(ret, sub);
--- 125,147 ----
while (pidl->mkid.cb) {
// cb includes sizeof(cb) itself - so string len is cb-sizeof(cb)
! if (pidl->mkid.cb <= sizeof(pidl->mkid.cb)) {
! Py_DECREF(ret);
! ret = NULL;
! PyErr_SetString(PyExc_ValueError, "This string has an invalid sub-item (too short)");
! break;
! }
! // The length may be too large to read (and causing an
! // exception deep inside Python doesn't always leave
! // things in a good state! Its also inconvenient to
! // always pass the size of the object - so explicitly
! // check we can read the memory.
! UINT cbdata = pidl->mkid.cb-sizeof(pidl->mkid.cb);
! if (IsBadReadPtr(pidl->mkid.abID, cbdata)) {
! Py_DECREF(ret);
! ret = NULL;
! PyErr_SetString(PyExc_ValueError, "This string has an invalid sub-item (too long)");
! break;
! }
! PyObject *sub = PyString_FromStringAndSize((char *)pidl->mkid.abID, cbdata);
if (sub) {
PyList_Append(ret, sub);
|
