Bug 688882 - Investigate stack buffer overflow in nsLocalFile::EnsureShortPath. r=bsmedberg
authorBrian R. Bondy <netzen@gmail.com>
Thu, 29 Sep 2011 09:06:27 -0400
changeset 77853 c872ba5d7b05bd611ee5926e6b3f9e7432db913e
parent 77852 dec80ee84264081839bbf92870b66b696d9e3e76
child 77854 65e060c81a59c41912857e730059f2104c6f6068
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersbsmedberg
bugs688882
milestone10.0a1
Bug 688882 - Investigate stack buffer overflow in nsLocalFile::EnsureShortPath. r=bsmedberg
xpcom/io/nsLocalFileWin.cpp
--- a/xpcom/io/nsLocalFileWin.cpp
+++ b/xpcom/io/nsLocalFileWin.cpp
@@ -3100,22 +3100,24 @@ NS_NewNativeLocalFile(const nsACString &
 }
 
 void
 nsLocalFile::EnsureShortPath()
 {
     if (!mShortWorkingPath.IsEmpty())
         return;
 
-    WCHAR thisshort[MAX_PATH];
-    DWORD thisr = ::GetShortPathNameW(mWorkingPath.get(), thisshort,
-                                      sizeof(thisshort));
-    // If an error occurred (thisr == 0) thisshort is uninitialized memory!
-    if (thisr != 0 && thisr < sizeof(thisshort))
-        mShortWorkingPath.Assign(thisshort);
+    WCHAR shortPath[MAX_PATH + 1];
+    DWORD lengthNeeded = ::GetShortPathNameW(mWorkingPath.get(), shortPath,
+                                             NS_ARRAY_LENGTH(shortPath));
+    // If an error occurred then lengthNeeded is set to 0 or the length of the
+    // needed buffer including NULL termination.  If it succeeds the number of
+    // wide characters not including NULL termination is returned.
+    if (lengthNeeded != 0 && lengthNeeded < NS_ARRAY_LENGTH(shortPath))
+        mShortWorkingPath.Assign(shortPath);
     else
         mShortWorkingPath.Assign(mWorkingPath);
 }
 
 // nsIHashable
 
 NS_IMETHODIMP
 nsLocalFile::Equals(nsIHashable* aOther, bool *aResult)