You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"Each string buffer is 24 characters long and contains the name of a paper bin.... The name strings are null-terminated unless the name is 24 characters long."
There seems to be a check which looks to the last byte which I'm not sure is needed and a asumption that the string would not contain a zero byte if 24 chars are returned.
Build 219.
I've had the following strings returned from calls to win32print.DeviceCapabilities fetching DC_BINNAMES.
"Tray 1\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0Џ"
"MPF\u0000MPF\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0"
This combination of bytes is not valid utf-8 and I'm near certain I'm looking at a buffer overflow.
From https://msdn.microsoft.com/en-us/library/windows/desktop/dd183552(v=vs.85).aspx
"Each string buffer is 24 characters long and contains the name of a paper bin.... The name strings are null-terminated unless the name is 24 characters long."
I'm not a c/c++ programmer but looking at the source code I don't think this is implemented correctly. See, https://github.com/arizvisa/pywin32/blob/windows-219/win32/src/win32print/win32print.cpp line 2121 to 2132.
There seems to be a check which looks to the last byte which I'm not sure is needed and a asumption that the string would not contain a zero byte if 24 chars are returned.
Reported by: squareproton
Original Ticket: pywin32/bugs/733
The text was updated successfully, but these errors were encountered: