Server crashes writing to clipboard if GlobalLock fails (2.8.87)

Brought to you by: anton19286, const_k, crazy-walrus

#1665 Server crashes writing to clipboard if GlobalLock fails (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 5

Updated: 24 hours ago

Created: 24 hours ago

Creator: Securin Disclose

Private: No

WindowsClipboard::writeToClipBoard() (desktop/WindowsClipboard.cpp:57-58)
does not check GlobalLock() return value before passing it to memcpy():

TCHAR *buff = (TCHAR *)GlobalLock(hglb);
memcpy(buff, clipboard.getString(), clipSize);

GlobalAlloc() is checked for NULL two lines earlier. GlobalLock() is not.
Windows docs state GlobalLock can return NULL on failure. NULL dest in
memcpy() crashes the server.

Attached PoC: GlobalFree + GlobalLock on freed handle returns NULL;
write to address 0x1 (null-access zone) exits STATUS_ACCESS_VIOLATION
(0xC0000005).

Fix: check buff != NULL before memcpy.
Version: 2.8.87.

Server crashes writing to clipboard if GlobalLock fails (2.8.87)

Group

Searches

Help

#1665 Server crashes writing to clipboard if GlobalLock fails (2.8.87)

Discussion