From f52a3496eb348a02e616b74b2c72caaf3cc7cda6 Mon Sep 17 00:00:00 2001 From: HetCreep Date: Mon, 22 Jun 2026 01:31:45 +0700 Subject: [PATCH 1/2] Fix buffer overflow in the ANSI boot.config redirect hook create_file_hook_narrow memcpy'd the override path into the caller's lpFileName buffer, overflowing it when the override is longer than the original path. Point actual_file_name at our own narrowed buffer (mirroring create_file_hook) and free it after the CreateFileA call. --- src/windows/entrypoint.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/windows/entrypoint.c b/src/windows/entrypoint.c index f798129..4f09d7f 100644 --- a/src/windows/entrypoint.c +++ b/src/windows/entrypoint.c @@ -99,6 +99,7 @@ HANDLE WINAPI create_file_hook_narrow( LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) { void *actual_file_name = lpFileName; + char *narrowed_boot_config_override = NULL; char_t *widened_filename = widen(lpFileName); char_t *normalised_path = @@ -114,19 +115,24 @@ HANDLE WINAPI create_file_hook_narrow( } if (strcmpi(normalised_path, default_boot_config_path) == 0) { - char *narrowed_boot_config_override = - narrow(config.boot_config_override); - memcpy(actual_file_name, narrowed_boot_config_override, - strlen(config.boot_config_override)); - free(narrowed_boot_config_override); + // Point at our own override buffer (mirrors create_file_hook). The old + // memcpy wrote the override into the caller's lpFileName buffer, which + // overflows it whenever the override path is longer than the original. + narrowed_boot_config_override = narrow(config.boot_config_override); + actual_file_name = narrowed_boot_config_override; LOG("Overriding boot.config to %s", actual_file_name); } free(normalised_path); - return CreateFileA(actual_file_name, dwDesiredAccess, dwShareMode, - lpSecurityAttributes, dwCreationDisposition, - dwFlagsAndAttributes, hTemplateFile); + HANDLE result = CreateFileA(actual_file_name, dwDesiredAccess, dwShareMode, + lpSecurityAttributes, dwCreationDisposition, + dwFlagsAndAttributes, hTemplateFile); + + if (narrowed_boot_config_override) + free(narrowed_boot_config_override); + + return result; } void capture_mono_path(void *handle) { From f922e004cbdebfce4e084f623c8108f4b1e10660 Mon Sep 17 00:00:00 2001 From: ManlyMarco <39247311+ManlyMarco@users.noreply.github.com> Date: Mon, 22 Jun 2026 16:45:06 +0200 Subject: [PATCH 2/2] Apply suggestion from @ManlyMarco --- src/windows/entrypoint.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/windows/entrypoint.c b/src/windows/entrypoint.c index 4f09d7f..7de774b 100644 --- a/src/windows/entrypoint.c +++ b/src/windows/entrypoint.c @@ -115,9 +115,6 @@ HANDLE WINAPI create_file_hook_narrow( } if (strcmpi(normalised_path, default_boot_config_path) == 0) { - // Point at our own override buffer (mirrors create_file_hook). The old - // memcpy wrote the override into the caller's lpFileName buffer, which - // overflows it whenever the override path is longer than the original. narrowed_boot_config_override = narrow(config.boot_config_override); actual_file_name = narrowed_boot_config_override; LOG("Overriding boot.config to %s", actual_file_name);