From e7483343275e6ac4c402b84d99635d1ef8ed86be Mon Sep 17 00:00:00 2001 From: Tor Lillqvist Date: Thu, 9 Sep 2010 15:44:12 +0300 Subject: [PATCH] Avoid potential DLL hijacking in Wintab code Load Wintab32.dll from an absolute path. A proper Wintab32.dll, if present, should be in the Windows system directory, so load it from there. --- gdk/win32/gdkdevicemanager-win32.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/gdk/win32/gdkdevicemanager-win32.c b/gdk/win32/gdkdevicemanager-win32.c index e3696bbf6f..f0fddb1b53 100644 --- a/gdk/win32/gdkdevicemanager-win32.c +++ b/gdk/win32/gdkdevicemanager-win32.c @@ -33,6 +33,8 @@ #include #include +#define WINTAB32_DLL "Wintab32.dll" + #define PACKETDATA (PK_CONTEXT | PK_CURSOR | PK_BUTTONS | PK_X | PK_Y | PK_NORMAL_PRESSURE | PK_ORIENTATION) /* We want everything in absolute mode */ #define PACKETMODE (0) @@ -376,6 +378,9 @@ _gdk_input_wintab_init_check (GdkDeviceManagerWin32 *device_manager) gchar *devname_utf8, *csrname_utf8, *device_name; BOOL defcontext_done; HMODULE wintab32; + char *wintab32_dll_path; + char dummy; + int n, k; if (wintab_initialized) return; @@ -387,7 +392,25 @@ _gdk_input_wintab_init_check (GdkDeviceManagerWin32 *device_manager) if (_gdk_input_ignore_wintab) return; - if ((wintab32 = LoadLibrary ("wintab32.dll")) == NULL) + n = GetSystemDirectory (&dummy, 0); + + if (n <= 0) + return; + + wintab32_dll_path = g_malloc (n + 1 + strlen (WINTAB32_DLL)); + k = GetSystemDirectory (wintab32_dll_path, n); + + if (k == 0 || k > n) + { + g_free (wintab32_dll_path); + return; + } + + if (!G_IS_DIR_SEPARATOR (wintab32_dll_path[strlen (wintab32_dll_path) -1])) + strcat (wintab32_dll_path, G_DIR_SEPARATOR_S); + strcat (wintab32_dll_path, WINTAB32_DLL); + + if ((wintab32 = LoadLibrary (wintab32_dll_path)) == NULL) return; if ((p_WTInfoA = (t_WTInfoA) GetProcAddress (wintab32, "WTInfoA")) == NULL)