Apply code changes: @orbisai0security can you address code review comm...

2026-06-22 10:02:20 +00:00 · 2026-05-29 11:24:51 +00:00 · 2026-05-29 11:24:51 +00:00 · 571be25a23
commit 571be25a23
parent 0836bcfe68
2 changed files with 16 additions and 3 deletions
--- a/libs/clipboard/src/windows/wf_cliprdr.c
+++ b/libs/clipboard/src/windows/wf_cliprdr.c
@ -39,6 +39,9 @@

 #define CLIPRDR_SVC_CHANNEL_NAME "cliprdr"

+/* Maximum number of clipboard streams accepted from a remote peer (integer overflow / DoS guard) */
+#define WF_CLIPRDR_MAX_STREAMS 16384
+
 /**
 * Clipboard Formats
 */
@ -769,8 +772,13 @@ static HRESULT STDMETHODCALLTYPE CliprdrDataObject_GetData(IDataObject *This, FO

 		if (instance->m_nStreams > 0)
 		{
-			if (instance->m_nStreams > 16384)
+			if (instance->m_nStreams > WF_CLIPRDR_MAX_STREAMS)
+			{
+				GlobalFree(clipboard->hmem);
+				clipboard->hmem = NULL;
+				pMedium->hGlobal = NULL;
 				return E_UNEXPECTED;
+			}

 			if (!instance->m_pStream)
 			{
@ -2172,7 +2180,11 @@ static BOOL wf_cliprdr_add_to_file_arrays(wfClipboard *clipboard, WCHAR *full_fi
 	// `MAX_PATH` is long enough for the file name.
 	// So we just return FALSE if the file name is too long, which is not a normal case.
 	if ((wcslen(full_file_name) + 1) > MAX_PATH)
+	{
+		free(clipboard->file_names[clipboard->nFiles]);
+		clipboard->file_names[clipboard->nFiles] = NULL;
 		return FALSE;
+	}

 	wcsncpy_s(clipboard->file_names[clipboard->nFiles], MAX_PATH, full_file_name, wcslen(full_file_name) + 1);
 	/* add to descriptor array */
--- a/tests/test_invariant_wf_cliprdr.c
+++ b/tests/test_invariant_wf_cliprdr.c
@ -19,7 +19,7 @@
 #define LPSTREAM_SIZE (sizeof(void *))

 /* Maximum allowed stream count - a reasonable upper bound for clipboard streams */
-#define MAX_SAFE_STREAM_COUNT 1024
+#define MAX_SAFE_STREAM_COUNT 16384

 /*
 * Safe allocation function that mirrors what the vulnerable code SHOULD do.
@ -126,6 +126,7 @@ START_TEST(test_overflow_detection)
        { 10,   0 },
        { 100,  0 },
        { 1024, 0 },
+        { 16384, 0 },
        /* Dangerous values - MUST be detected as overflow */
        { SIZE_MAX,                         1 },
        { SIZE_MAX / LPSTREAM_SIZE + 1,     1 },
@ -151,7 +152,7 @@ START_TEST(test_valid_stream_counts_succeed)
 {
    /* Invariant: valid, small stream counts must succeed to ensure functionality */

-    size_t valid_counts[] = { 1, 2, 4, 8, 16, 32, 64, 128, 256, MAX_SAFE_STREAM_COUNT };
+    size_t valid_counts[] = { 1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 8192, MAX_SAFE_STREAM_COUNT };
    int num_counts = sizeof(valid_counts) / sizeof(valid_counts[0]);

    for (int i = 0; i < num_counts; i++) {