Browse Source

Fixed buffer overflow in GUI browse().

Thanks Connor Reynolds.
Iain Patterson 4 years ago
parent
commit
54731dd901
2 changed files with 2 additions and 1 deletions
  1. 1 0
      README.txt
  2. 1 1
      gui.cpp

+ 1 - 0
README.txt

@@ -1043,6 +1043,7 @@ Thanks to Nicolas Ducrocq for suggesting timestamping redirected output.
 Thanks to Meang Akira Tanaka for suggestion and initial implementation of
 the statuscode command.
 Thanks to Kirill Kovalenko for reporting a crash with NANO server.
+Thanks to Connor Reynolds for spotting a potential buffer overflow.
 
 Licence
 -------

+ 1 - 1
gui.cpp

@@ -924,7 +924,7 @@ void browse(HWND window, TCHAR *current, unsigned long flags, ...) {
     va_start(arg, flags);
     while (i = va_arg(arg, int)) {
       TCHAR *localised = message_string(i);
-      _sntprintf_s((TCHAR *) ofn.lpstrFilter + len, bufsize, _TRUNCATE, localised);
+      _sntprintf_s((TCHAR *) ofn.lpstrFilter + len, bufsize - len, _TRUNCATE, localised);
       len += _tcslen(localised) + 1;
       LocalFree(localised);
       TCHAR *filter = browse_filter(i);