diff options
author | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2023-12-28 17:07:45 +1100 |
---|---|---|
committer | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2023-12-28 18:03:58 +1100 |
commit | 051a874325c177e040301878069c2b28f5d06ce6 (patch) | |
tree | b04105e509746c4869734d8f9e04c40b65e2e030 | |
parent | 67026af146d8298a4acb0514a5dc395d39275ab3 (diff) |
Fix memory overread in registry.rb
The terminator is not actually getting filled in; we're simply passing
(two) bytes of empty memory as the NUL terminator. This can lead to
garbage characters getting written to registry values.
Fix this by explicitly putting a WCHAR_NUL character into the string to
be sent to the registry API, like we do in the MULTI_SZ case.
[Bug #20096]
-rw-r--r-- | ext/win32/lib/win32/registry.rb | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/ext/win32/lib/win32/registry.rb b/ext/win32/lib/win32/registry.rb index b5b99ff684..16a08310ad 100644 --- a/ext/win32/lib/win32/registry.rb +++ b/ext/win32/lib/win32/registry.rb @@ -740,14 +740,11 @@ For detail, see the MSDN[http://msdn.microsoft.com/library/en-us/sysinfo/base/pr # method returns. # def write(name, type, data) - termsize = 0 case type when REG_SZ, REG_EXPAND_SZ - data = data.encode(WCHAR) - termsize = WCHAR_SIZE + data = data.encode(WCHAR) << WCHAR_NUL when REG_MULTI_SZ data = data.to_a.map {|s| s.encode(WCHAR)}.join(WCHAR_NUL) << WCHAR_NUL - termsize = WCHAR_SIZE when REG_BINARY, REG_NONE data = data.to_s when REG_DWORD @@ -759,7 +756,7 @@ For detail, see the MSDN[http://msdn.microsoft.com/library/en-us/sysinfo/base/pr else raise TypeError, "Unsupported type #{Registry.type2name(type)}" end - API.SetValue(@hkey, name, type, data, data.bytesize + termsize) + API.SetValue(@hkey, name, type, data, data.bytesize) end # |