VOGONS


First post, by balidani

User metadata
Rank Newbie
Rank
Newbie

Hi DOSBox developers,

I found a memory corruption bug in DOS_Shell::CMD_DELETE and DOS_Shell::CMD_DIR via the ExpandDot function. ExpandDot uses `strcpy` without a size limit and so the stack can be smashed.

https://github.com/Henne/dosbox-svn/blob/mast … l_cmds.cpp#L192

Indeed if you run the command DELETE <"A" 600ish times> you get a segfault.
The proposed fix is to use strncpy in ExpandDot with CROSS_LEN as the length.

Cheers,
Daniel

Reply 1 of 2, by Qbix

User metadata
Rank DOSBox Author
Rank
DOSBox Author

Thanks for reporting it. Will fix it.

Water flows down the stream
How to ask questions the smart way!