Re: strcpy bug

[xenophi1e <oliver.lavery () sympatico ca>]

In-Reply-To: <Law15-F17rjbudzxxfY00026977 () hotmail com>

> The windows "Search for files and folders" utility will search binaries 
and
> can often find the linkage names of functions and dlls they call.  None

*Lol*. I never would have thought to use the pretty GUI with the little 
doggie for anything like this. But of course, it's really just a not-so-
good strings / objdump | grep. 

> Bah.  That 0x104 in the size field of the result string from the
> RtlUnicodeStringToAnsiString call not only protects the stack frame, it 
also
> stops us feeding too long a string through the W version to the A 
version.
> D'oh.

Yeah, another obvious problem I realised after posting is that MAX_PATH 
on windows is 260 / 0x104. So the overflowable buffer is MAX_PATH 
characters long. There's some protection since applications that are well 
written probably won't call a file open sort of function with a filename 
longer than MAX_PATH. Of course we all know how many applications are 
actually well written...

> So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe
> and anything else that uses the IE browser engine.  Font-face style tag 
> perhaps?

Hmm, that's a good analysis, thanks. I'll have to have a lookse at 
t2embed.dll the next time I sit down with IDA.

Cheers,
~x