Fix some strcpy() buffer overrrun issues

Author: jandubois

Changes

@@ -1,5 +1,9 @@
 Revision history for the Perl extension Win32.
 
+0.43	[2011-01-12]
+	- fix a few potential buffer overrun bugs reported by Alex Davies.
+	  [perl#78710]
+
 0.42	[2011-01-06]
 	- remove brittle test for Win32::GetLongPathName($ENV{SYSTEMROOT})
 	  which will fail if the case of the environment value doesn't

META.yml

@@ -1,7 +1,7 @@
 --- #YAML:1.0
 name: Win32
 abstract: Interfaces to some Win32 API Functions
-version: 0.42
+version: 0.43
 author:
   - Jan Dubois <[email protected]>
 license: perl

Win32.pm

@@ -8,7 +8,7 @@ package Win32;
     require DynaLoader;
 
     @ISA = qw|Exporter DynaLoader|;
-    $VERSION = '0.42';
+    $VERSION = '0.43';
     $XS_VERSION = $VERSION;
     $VERSION = eval $VERSION;
 

Win32.xs

@@ -1483,7 +1483,8 @@ XS(w32_GetFullPathName)
             /* fullname is the MAX_PATH+1 sized buffer returned from PerlDir_mapA()
              * or the 2*MAX_PATH sized local buffer in the __CYGWIN__ case.
              */
-            strcpy(lastchar+1, "\\");
+            if (lastchar - fullname < MAX_PATH - 1)
+                strcpy(lastchar+1, "\\");
         }
     }
 
@@ -1519,13 +1520,15 @@ XS(w32_GetLongPathName)
         WCHAR wide_path[MAX_PATH+1];
         WCHAR *long_path;
 
-        wcscpy(wide_path, wstr);
-        Safefree(wstr);
-        long_path = my_longpathW(wide_path);
-        if (long_path) {
-            ST(0) = wstr_to_sv(aTHX_ long_path);
-            XSRETURN(1);
+        if (wcslen(wstr) < countof(wide_path)) {
+            wcscpy(wide_path, wstr);
+            long_path = my_longpathW(wide_path);
+            if (long_path) {
+                ST(0) = wstr_to_sv(aTHX_ long_path);
+                XSRETURN(1);
+            }
         }
+        Safefree(wstr);
     }
     else {
         SV *path;
@@ -1535,11 +1538,13 @@ XS(w32_GetLongPathName)
 
         path = ST(0);
         pathstr = SvPV(path,len);
-        strcpy(tmpbuf, pathstr);
-        pathstr = my_longpathA(tmpbuf);
-        if (pathstr) {
-            ST(0) = sv_2mortal(newSVpvn(pathstr, strlen(pathstr)));
-            XSRETURN(1);
+        if (len < sizeof(tmpbuf)) {
+            strcpy(tmpbuf, pathstr);
+            pathstr = my_longpathA(tmpbuf);
+            if (pathstr) {
+                ST(0) = sv_2mortal(newSVpvn(pathstr, strlen(pathstr)));
+                XSRETURN(1);
+            }
         }
     }
     XSRETURN_EMPTY;
@@ -1572,14 +1577,19 @@ XS(w32_CopyFile)
 {
     dXSARGS;
     BOOL bResult;
+    char *pszSourceFile;
     char szSourceFile[MAX_PATH+1];
 
     if (items != 3)
 	Perl_croak(aTHX_ "usage: Win32::CopyFile($from, $to, $overwrite)");
-    strcpy(szSourceFile, PerlDir_mapA(SvPV_nolen(ST(0))));
-    bResult = CopyFileA(szSourceFile, PerlDir_mapA(SvPV_nolen(ST(1))), !SvTRUE(ST(2)));
-    if (bResult)
-	XSRETURN_YES;
+
+    pszSourceFile = PerlDir_mapA(SvPV_nolen(ST(0)));
+    if (strlen(pszSourceFile) < sizeof(szSourceFile)) {
+        strcpy(szSourceFile, pszSourceFile);
+        bResult = CopyFileA(szSourceFile, PerlDir_mapA(SvPV_nolen(ST(1))), !SvTRUE(ST(2)));
+        if (bResult)
+            XSRETURN_YES;
+    }
     XSRETURN_NO;
 }