[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#980048: FTBFS: -Werror=array-bounds in dlls/shell32/cpanelfolder.c

Source: wine
Version: 5.0.3-1
Severity: serious
Tags: upstream fixed-upstream patch ftbfs
Justification: fails to build from source (but built successfully in the past)

wine_5.0.3-1 failed to build from source on all architectures. Was the
upload perhaps tested with an older toolchain than the one currently
in unstable?

> In function ‘_ILCreateCPanelApplet’,
>     inlined from ‘SHELL_RegisterCPanelApp’ at cpanelfolder.c:323:20:
> cpanelfolder.c:262:5: error: ‘strcpy’ offset 12 from the object at ‘pidl’ is out of the bounds of referenced subobject ‘szName’ with type ‘CHAR[1]’ {aka ‘char[1]’} at offset 12 [-Werror=array-bounds]
>   262 |     strcpy(p->szName, name);
>       |     ^~~~~~~~~~~~~~~~~~~~~~~
> In file included from cpanelfolder.c:44:
> cpanelfolder.c: In function ‘SHELL_RegisterCPanelApp’:
> pidl.h:119:10: note: subobject ‘szName’ declared here
>   119 |     CHAR szName[1];  /*10*/ /* terminated by 0x00, followed by display name and comment string */
>       |          ^~~~~~
> In file included from cpanelfolder.c:34:
> In function ‘lstrcpyA’,
>     inlined from ‘IShellExecuteHookA_fnExecute’ at cpanelfolder.c:1080:5:
> ../../include/winbase.h:2853:12: error: ‘strcpy’ offset 10 from the object at ‘pdata’ is out of the bounds of referenced subobject ‘szName’ with type ‘CHAR[1]’ {aka ‘char[1]’} at offset 10 [-Werror=array-bounds]
>  2853 |     return strcpy( dst, src );
>       |            ^~~~~~~~~~~~~~~~~~
> In file included from cpanelfolder.c:44:
> cpanelfolder.c: In function ‘IShellExecuteHookA_fnExecute’:
> pidl.h:119:10: note: subobject ‘szName’ declared here
>   119 |     CHAR szName[1];  /*10*/ /* terminated by 0x00, followed by display name and comment string */
>       |          ^~~~~~

This appears to be a false positive caused by an array of length 1 being
used as though it was a C99 flexible array member.

The attached upstream patch seems to fix this, at least on amd64 (I haven't
tried i386 or arm*).

    smcv

From: Alexandre Julliard <julliard@winehq.org>
Date: Thu, 26 Nov 2020 17:31:53 +0100
Subject: shell32: Silence buffer overflow compiler warnings.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
Origin: upstream, 6.0-rc1, commit:6624cabbb7cfe33c179a02238b4c9b91d3c3297e
---
 dlls/shell32/cpanelfolder.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dlls/shell32/cpanelfolder.c b/dlls/shell32/cpanelfolder.c
index ea5e9e2..114eb6b 100644
--- a/dlls/shell32/cpanelfolder.c
+++ b/dlls/shell32/cpanelfolder.c
@@ -259,9 +259,9 @@ static LPITEMIDLIST _ILCreateCPanelApplet(LPCSTR name, LPCSTR displayName,
     memcpy(pidl->mkid.abID, &tmp, 2+size0);
 
     p = &((PIDLDATA*)pidl->mkid.abID)->u.cpanel;
-    strcpy(p->szName, name);
-    strcpy(p->szName+tmp.u.cpanel.offsDispName, displayName);
-    strcpy(p->szName+tmp.u.cpanel.offsComment, comment);
+    memcpy(p->szName, name, strlen(name) + 1);
+    memcpy(p->szName+tmp.u.cpanel.offsDispName, displayName, strlen(displayName) + 1);
+    memcpy(p->szName+tmp.u.cpanel.offsComment, comment, strlen(comment) + 1);
 
     *(WORD*)((char*)pidl+(size+2)) = 0;
 
@@ -1077,7 +1077,7 @@ static HRESULT WINAPI IShellExecuteHookA_fnExecute(IShellExecuteHookA *iface,
 	return E_INVALIDARG;
 
     path[0] = '\"';
-    lstrcpyA(path+1, pcpanel->szName);
+    memcpy(path+1, pcpanel->szName, strlen(pcpanel->szName) + 1);
 
     /* pass applet name to Control_RunDLL to distinguish between applets in one .cpl file */
     lstrcatA(path, "\" ");
Reply to: