starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-05-20 05:54:23 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

Don't allow overflowing lengths in WM_COPYDATA (#20185)

Browse Source 
It is possible to craft a packet whose `len` is `0x80000001`.

We should not produce values that do not fit in size_t (on e.g. x86).

Reject them summarily.

(cherry picked from commit 8edac5fb12)
Service-Card-Id: PVTI_lADOAF3p4s4BQX0-zgr4enI
Service-Version: 1.25
This commit is contained in:
Dustin L. Howett
2026-05-05 14:19:25 -05:00
committed by Dustin L. Howett
parent 168dc99a6a
commit dc2e98f576
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/cascadia/WindowsTerminal/WindowEmperor.cpp
View File

@@ -97,9 +97,8 @@ static const uint8_t* deserializeString(const uint8_t* it, const uint8_t* end, w
uint32_t len;
it = deserializeUint32(it, end, len);
const auto bytes = static_cast<size_t>(len) * sizeof(wchar_t);
if (bytes == 0 || static_cast<size_t>(end - it) < bytes)
size_t bytes{};
if (!SUCCEEDED(SizeTMult(static_cast<size_t>(len), sizeof(wchar_t), &bytes)) || bytes == 0 || static_cast<size_t>(end - it) < bytes)
{
throw std::out_of_range("Not enough data for string content");
}