Buffer overflow in win32print.DeviceCapabilities PyWin32 build 219 #733
Labels
Comments
ghost
added
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Build 219.
I've had the following strings returned from calls to win32print.DeviceCapabilities fetching DC_BINNAMES.
"Tray 1\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0Џ"
"MPF\u0000MPF\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0"
This combination of bytes is not valid utf-8 and I'm near certain I'm looking at a buffer overflow.
From https://msdn.microsoft.com/en-us/library/windows/desktop/dd183552(v=vs.85).aspx
"Each string buffer is 24 characters long and contains the name of a paper bin.... The name strings are null-terminated unless the name is 24 characters long."
I'm not a c/c++ programmer but looking at the source code I don't think this is implemented correctly. See, https://github.com/arizvisa/pywin32/blob/windows-219/win32/src/win32print/win32print.cpp line 2121 to 2132.
There seems to be a check which looks to the last byte which I'm not sure is needed and a asumption that the string would not contain a zero byte if 24 chars are returned.
Reported by: squareproton
Original Ticket: pywin32/bugs/733
The text was updated successfully, but these errors were encountered: