ref: 81fe8ce185e44714ab55fb194294d77a7976d91e
parent: fa7726b57dc98b936b4bfaa873013f286f50148a
author: James Haley <[email protected]>
date: Tue Aug 23 20:33:42 EDT 2016
Ensure values retrieved with RegQueryValueEx are null-terminated. According to MSDN, an application can write REG_SZ values without a null-terminating byte. We will not trust that the registry keys we are looking for were actually written by the well-known, trusted applications assumed to create them, and instead allocate the buffer at size+1 and manually terminate it. cf. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
--- a/src/d_iwad.c
+++ b/src/d_iwad.c
@@ -256,7 +256,7 @@
{
// Allocate a buffer for the value and read the value
- result = malloc(len);
+ result = malloc(len + 1);
if (RegQueryValueEx(key, reg_val->value, NULL, &valtype,
(unsigned char *) result, &len) != ERROR_SUCCESS)
@@ -263,6 +263,11 @@
{
free(result);
result = NULL;
+ }
+ else
+ {
+ // Ensure the value is null-terminated
+ result[len] = '\0';
}
}