Windows GDI 库单字节溢出漏洞

昨天看到的这个漏洞公告,并且把 POC 下下来试了试,正开始调试时发现大牛已经分析过了:

http://blogs.technet.com/srd/archive/2009/03/26/new-emf-gdiplus-dll-crash-not-exploitable-for-code-execution.aspx

还帖出了 XP 下有漏洞代码,很明显在拷贝时出现了溢出:

#define FamilyNameMax 32
...
WCHAR familyName[FamilyNameMax];
...
length = fontData->Length; // this comes from the EMF file
...
if (length > FamilyNameMax)
{
    length = FamilyNameMax;
}
...
// read in the familyName/data
UnicodeStringCopyCount (familyName, (WCHAR *)dataBuffer, length);
familyName[length]=0