First post, by balidani
balidani
Offline
Rank
Newbie
Hi DOSBox developers,
I found a memory corruption bug in DOS_Shell::CMD_DELETE and DOS_Shell::CMD_DIR via the ExpandDot function. ExpandDot uses `strcpy` without a size limit and so the stack can be smashed.
https://github.com/Henne/dosbox-svn/blob/mast … l_cmds.cpp#L192
Indeed if you run the command DELETE <"A" 600ish times> you get a segfault.
The proposed fix is to use strncpy in ExpandDot with CROSS_LEN as the length.
Cheers,
Daniel