Merged PR 6274354: [Git2Git] Fix unbound read of cooked read buffer

Fix unbound read of cooked read buffer Retrieved from https://microsoft.visualstudio.com os.2020 OS official/rs_wdx_dxp_windev 756c8dcd4cf9551f5bf090b98bf3fba5498f8eff Related work items: MSFT-32957145
2021-07-19 20:02:20 +00:00 · 2021-07-19 20:02:20 +00:00 · dfda41074d
parent 26f4b0eacb
commit dfda41074d
3 changed files with 9 additions and 8 deletions
--- a/src/host/readDataCooked.cpp
+++ b/src/host/readDataCooked.cpp
@ -1008,13 +1008,13 @@ void COOKED_READ_DATA::SavePendingInput(const size_t index, const bool multiline
    {
        // Figure out where real string ends (at carriage return or end of buffer).
        PWCHAR StringPtr = _backupLimit;
-        size_t StringLength = _bytesRead;
+        size_t StringLength = _bytesRead / sizeof(WCHAR);
        bool FoundCR = false;
-        for (size_t i = 0; i < (_bytesRead / sizeof(WCHAR)); i++)
+        for (size_t i = 0; i < StringLength; i++)
        {
            if (*StringPtr++ == UNICODE_CARRIAGERETURN)
            {
-                StringLength = i * sizeof(WCHAR);
+                StringLength = i;
                FoundCR = true;
                break;
            }
@ -1026,11 +1026,11 @@ void COOKED_READ_DATA::SavePendingInput(const size_t index, const bool multiline
            {
                // add to command line recall list if we have a history list.
                CONSOLE_INFORMATION& gci = ServiceLocator::LocateGlobals().getConsoleInformation();
-                LOG_IF_FAILED(_commandHistory->Add({ _backupLimit, StringLength / sizeof(wchar_t) },
+                LOG_IF_FAILED(_commandHistory->Add({ _backupLimit, StringLength },
                                                   WI_IsFlagSet(gci.Flags, CONSOLE_HISTORY_NODUP)));
            }

-            Tracing::s_TraceCookedRead(_backupLimit);
+            Tracing::s_TraceCookedRead(_backupLimit, base::saturated_cast<ULONG>(StringLength));

            // check for alias
            ProcessAliases(LineCount);
--- a/src/host/tracing.cpp
+++ b/src/host/tracing.cpp
@ -405,12 +405,13 @@ void Tracing::s_TraceInputRecord(const INPUT_RECORD& inputRecord)
    }
 }

-void Tracing::s_TraceCookedRead(_In_z_ const wchar_t* pwszCookedBuffer)
+void Tracing::s_TraceCookedRead(_In_reads_(cchCookedBufferLength) const wchar_t* pwchCookedBuffer, _In_ ULONG cchCookedBufferLength)
 {
    TraceLoggingWrite(
        g_hConhostV2EventTraceProvider,
        "CookedRead",
-        TraceLoggingWideString(pwszCookedBuffer, "ReadBuffer"),
+        TraceLoggingCountedWideString(pwchCookedBuffer, cchCookedBufferLength, "ReadBuffer"),
+        TraceLoggingULong(cchCookedBufferLength, "ReadBufferLength"),
        TraceLoggingKeyword(TIL_KEYWORD_TRACE),
        TraceLoggingKeyword(TraceKeywords::CookedRead));
 }
--- a/src/host/tracing.hpp
+++ b/src/host/tracing.hpp
@ -62,7 +62,7 @@ public:
    static void s_TraceWindowMessage(const MSG& msg);
    static void s_TraceInputRecord(const INPUT_RECORD& inputRecord);

-    static void s_TraceCookedRead(_In_z_ const wchar_t* pwszCookedBuffer);
+    static void Tracing::s_TraceCookedRead(_In_reads_(cchCookedBufferLength) const wchar_t* pwchCookedBuffer, _In_ ULONG cchCookedBufferLength);

    static void __stdcall TraceFailure(const wil::FailureInfo& failure) noexcept;