Windows GDI 库单字节溢出漏洞
昨天看到的这个漏洞公告,并且把 POC 下下来试了试,正开始调试时发现大牛已经分析过了:
还帖出了 XP 下有漏洞代码,很明显在拷贝时出现了溢出:
#define FamilyNameMax 32 ... WCHAR familyName[FamilyNameMax]; ... length = fontData->Length; // this comes from the EMF file ... if (length > FamilyNameMax) { length = FamilyNameMax; } ... // read in the familyName/data UnicodeStringCopyCount (familyName, (WCHAR *)dataBuffer, length); familyName[length]=0