patch 8.1.0976: dosinstall still has buffer overflow problemsv8.1.0976

Problem: Dosinstall still has buffer overflow problems. Solution: Adjust buffer sizes. (Yasuhiro Matsumoto, closes #4002)
author: Bram Moolenaar <Bram@vim.org> 2019-02-22 19:41:08 +0100
committer: Bram Moolenaar <Bram@vim.org> 2019-02-22 19:41:08 +0100
commit: e4963c543ddcfc4845fa0d42893b6a4e1aa27c47 (patch)
tree: 843cef9d49d3104ef67078b87889c1d0f3b33a55 /src/dosinst.c
parent: c666388367282c3c7d1d7af24883cfa0d40b046e (diff)
1 files changed, 23 insertions, 19 deletions
diff --git a/src/dosinst.c b/src/dosinst.c
index 8ef72f6f21..49a2fa4f5d 100644
--- a/src/dosinst.c
+++ b/src/dosinst.c
@@ -388,7 +388,7 @@ get_vim_env(void)
 
     /* First get $VIMRUNTIME.  If it's set, remove the tail. */
     vim = getenv("VIMRUNTIME");
-    if (vim != NULL && *vim != 0 && strlen(vim) < BUFSIZE)
+    if (vim != NULL && *vim != 0 && strlen(vim) < sizeof(buf))
     {
 	strcpy(buf, vim);
 	remove_tail(buf);
@@ -411,7 +411,7 @@ get_vim_env(void)
 
     /* NSIS also uses GetTempPath(), thus we should get the same directory
      * name as where NSIS will look for vimini.ini. */
-    GetTempPath(BUFSIZE, fname);
+    GetTempPath(sizeof(fname) - 12, fname);
     add_pathsep(fname);
     strcat(fname, "vimini.ini");
 
@@ -456,7 +456,7 @@ window_cb(HWND hwnd, LPARAM lparam)
     static int
 run_silent_uninstall(char *uninst_exe)
 {
-    char    vimrt_dir[MAX_PATH];
+    char    vimrt_dir[BUFSIZE];
     char    temp_uninst[BUFSIZE];
     char    temp_dir[MAX_PATH];
     char    buf[BUFSIZE * 2 + 10];
@@ -506,7 +506,7 @@ uninstall_check(int skip_question)
     char	*uninstall_key = "software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
     char	subkey_name_buff[BUFSIZE];
     char	temp_string_buffer[BUFSIZE-2];
-    DWORD	local_bufsize = BUFSIZE;
+    DWORD	local_bufsize;
     FILETIME	temp_pfiletime;
     DWORD	key_index;
     char	input;
@@ -521,12 +521,14 @@ uninstall_check(int skip_question)
 				     KEY_WOW64_64KEY | KEY_READ, &key_handle);
     CHECK_REG_ERROR(code);
 
-    for (key_index = 0;
-	 RegEnumKeyEx(key_handle, key_index, subkey_name_buff, &local_bufsize,
-		NULL, NULL, NULL, &temp_pfiletime) != ERROR_NO_MORE_ITEMS;
-	    key_index++)
+    key_index = 0;
+    while (TRUE)
     {
-	local_bufsize = BUFSIZE;
+	local_bufsize = sizeof(subkey_name_buff);
+	if (RegEnumKeyEx(key_handle, key_index, subkey_name_buff, &local_bufsize,
+		NULL, NULL, NULL, &temp_pfiletime) == ERROR_NO_MORE_ITEMS)
+	    break;
+
 	if (strncmp("Vim", subkey_name_buff, 3) == 0)
 	{
 	    /* Open the key named Vim* */
@@ -535,10 +537,10 @@ uninstall_check(int skip_question)
 	    CHECK_REG_ERROR(code);
 
 	    /* get the DisplayName out of it to show the user */
+	    local_bufsize = sizeof(temp_string_buffer);
 	    code = RegQueryValueEx(uninstall_key_handle, "displayname", 0,
 		    &value_type, (LPBYTE)temp_string_buffer,
 		    &local_bufsize);
-	    local_bufsize = BUFSIZE;
 	    CHECK_REG_ERROR(code);
 
 	    allow_silent = 0;
@@ -568,9 +570,9 @@ uninstall_check(int skip_question)
 	    fflush(stdout);
 
 	    /* get the UninstallString */
+	    local_bufsize = sizeof(temp_string_buffer);
 	    code = RegQueryValueEx(uninstall_key_handle, "uninstallstring", 0,
 		    &value_type, (LPBYTE)temp_string_buffer, &local_bufsize);
-	    local_bufsize = BUFSIZE;
 	    CHECK_REG_ERROR(code);
 
 	    /* Remember the directory, it is used as the default for NSIS. */
@@ -683,6 +685,8 @@ uninstall_check(int skip_question)
 
 	    RegCloseKey(uninstall_key_handle);
 	}
+
+	key_index++;
     }
     RegCloseKey(key_handle);
 
@@ -1826,7 +1830,7 @@ create_shortcut(
 	    /* translate the (possibly) multibyte shortcut filename to windows
 	     * Unicode so it can be used as a file name.
 	     */
-	    MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz, BUFSIZE);
+	    MultiByteToWideChar(CP_ACP, 0, shortcut_name, -1, wsz, sizeof(wsz)/sizeof(wsz[0]));
 
 	    /* set the attributes */
 	    shelllink_ptr->lpVtbl->SetPath(shelllink_ptr, shortcut_target);
@@ -2135,7 +2139,7 @@ install_OLE_register(void)
  * result in "to[]".
  */
     static void
-dir_remove_last(const char *path, char to[BUFSIZE])
+dir_remove_last(const char *path, char to[MAX_PATH])
 {
     char c;
     long last_char_to_copy;
@@ -2206,7 +2210,7 @@ init_homedir(void)
 	if (homepath == NULL || *homepath == NUL)
 	    homepath = "\\";
 	if (homedrive != NULL
-			   && strlen(homedrive) + strlen(homepath) < MAX_PATH)
+		   && strlen(homedrive) + strlen(homepath) < sizeof(buf))
 	{
 	    sprintf(buf, "%s%s", homedrive, homepath);
 	    if (buf[0] != NUL)
@@ -2234,10 +2238,9 @@ init_homedir(void)
 	    buf[p - (var + 1)] = NUL;
 	    exp = getenv(buf);
 	    if (exp != NULL && *exp != NUL
-					&& strlen(exp) + strlen(p) < MAX_PATH)
+				&& strlen(exp) + strlen(p) < sizeof(buf))
 	    {
-		_snprintf(buf, MAX_PATH, "%s%s", exp, p + 1);
-		buf[MAX_PATH - 1] = NUL;
+		sprintf(buf, "%s%s", exp, p + 1);
 		var = buf;
 	    }
 	}
@@ -2351,10 +2354,11 @@ init_directories_choice(void)
 
     // Check if the "compiler" directory already exists.  That's a good
     // indication that the plugin directories were already created.
-    if (getenv("HOME") != NULL)
+    p = getenv("HOME");
+    if (p != NULL)
     {
 	vimfiles_dir_choice = (int)vimfiles_dir_home;
-	sprintf(tmp_dirname, "%s\\vimfiles\\compiler", getenv("HOME"));
+	sprintf(tmp_dirname, "%s\\vimfiles\\compiler", p);
 	if (stat(tmp_dirname, &st) == 0)
 	    vimfiles_dir_choice = (int)vimfiles_dir_none;
     }
author	Bram Moolenaar <Bram@vim.org>	2019-02-22 19:41:08 +0100
committer	Bram Moolenaar <Bram@vim.org>	2019-02-22 19:41:08 +0100
commit	e4963c543ddcfc4845fa0d42893b6a4e1aa27c47 (patch)
tree	843cef9d49d3104ef67078b87889c1d0f3b33a55 /src/dosinst.c
parent	c666388367282c3c7d1d7af24883cfa0d40b046e (diff)