Skip to content
This repository has been archived by the owner. It is now read-only.
Browse files

Fixed bug 1938 - Buffer overflows in the Windows IME code


There are a few potential buffer overflows in the Windows IME code located in the SDL_windowskeyboard.c file. [1] They mainly happen because the code passes the number of bytes instead of the number of characters to the wide-character string functions wcslcpy and wcslcat. In another place, the code assumes that the composition cursor position can never go beyond the size of the composition string buffer.

Some of these overflows and overruns can occur with the Japanese IME on Vista and simplified Chinese IME on XP. I don't actually speak those languages and it's my first time using the IMEs, so I probably pushed them to the limit where nobody would still be compositing proper words. They don't cause any immediate access violation, although the possibility of trashing the SDL_VideoData structure is never good.

I've attached a patch that fixes those I found, but because I'm very new to the code it may be worthwhile if someone else also has a look over the code.

I'll go over the changes in my patch and explain what, why and how.

In the function IME_GetReadingString, there is a wcslcpy to copy the reading string from the IMC memory to the SDL reading string buffer. [2] This assumes that the length of the reading string never exceeds the SDL buffer size. I guess that is possible and I wasn't able to get a long reading string in my tests, but the patch adds a simple check anyway.

In the function IME_GetCompositionString, the first line calls ImmGetCompositionStringW to get the composition string. [3] The Microsoft documentation states that the fourth argument is for the destination buffer size in bytes (even with unicode) and the code correctly passes the value of sizeof. However, at the end of IME_GetCompositionString, the string is terminated by setting the element at index 'length' to 0. 'length' is calculated by dividing the number of bytes (those written by ImmGetCompositionStringW) by 2. If it managed to write 64 bytes, the code sets element 32 to 0, which would be the beginning of the reading string if the alignment places it there. My patch adds a subtraction to the fourth argument, essentially making it always pass 62 instead.

In the same function, the code assumes that the composition cursor position doesn't go beyond the buffer size. [4] My patch adds a simple range check in front of the indirection.

In the function IME_SendEditingEvent, the size for the wide-character string functions is passed in bytes instead of characters. [5] Oddly, the current code subtracts 'len' from the size in one function call. This results in truncation in certain situations as the third argument is the number of characters available in the destination buffer. If I'm understanding it correctly, this is supposed to copy x characters of the composition buffer, then concatenate the whole reading string buffer, and then the rest of the composition buffer (where x is the composition cursor position). I don't see how a truncation of the rest would be helpful here. Perhaps this is just an error? My patch removes the subtraction.

In the function UIElementSink_UpdateUIElement, bytes instead of characters is used again for a wcslcpy call. [6]
  • Loading branch information
slouken committed Jul 13, 2013
1 parent 4b59abf commit 0890931f96b3517de715aae21b6a7b75f0a8d015
Showing with 11 additions and 8 deletions.
  1. +11 −8 src/video/windows/SDL_windowskeyboard.c
@@ -466,8 +466,10 @@ IME_GetReadingString(SDL_VideoData *videodata, HWND hwnd)
s = (WCHAR *)(p + 1*4 + (16*2+2*4) + 5*4);
if (s)
SDL_wcslcpy(videodata->ime_readingstring, s, len + 1);
if (s) {
size_t size = SDL_min((size_t)(len + 1), SDL_arraysize(videodata->ime_readingstring));
SDL_wcslcpy(videodata->ime_readingstring, s, size);

@@ -673,13 +675,13 @@ IME_ClearComposition(SDL_VideoData *videodata)
static void
IME_GetCompositionString(SDL_VideoData *videodata, HIMC himc, DWORD string)
LONG length = ImmGetCompositionStringW(himc, string, videodata->ime_composition, sizeof(videodata->ime_composition));
LONG length = ImmGetCompositionStringW(himc, string, videodata->ime_composition, sizeof(videodata->ime_composition) - sizeof(videodata->ime_composition[0]));
if (length < 0)
length = 0;

length /= sizeof(videodata->ime_composition[0]);
videodata->ime_cursor = LOWORD(ImmGetCompositionStringW(himc, GCS_CURSORPOS, 0, 0));
if (videodata->ime_composition[videodata->ime_cursor] == 0x3000) {
if (videodata->ime_cursor < SDL_arraysize(videodata->ime_composition) && videodata->ime_composition[videodata->ime_cursor] == 0x3000) {
int i;
for (i = videodata->ime_cursor + 1; i < length; ++i)
videodata->ime_composition[i - 1] = videodata->ime_composition[i];
@@ -707,15 +709,16 @@ IME_SendEditingEvent(SDL_VideoData *videodata)
char *s = 0;
const size_t size = SDL_arraysize(buffer);
buffer[0] = 0;
if (videodata->ime_readingstring[0]) {
size_t len = SDL_min(SDL_wcslen(videodata->ime_composition), (size_t)videodata->ime_cursor);
SDL_wcslcpy(buffer, videodata->ime_composition, len + 1);
SDL_wcslcat(buffer, videodata->ime_readingstring, sizeof(buffer));
SDL_wcslcat(buffer, &videodata->ime_composition[len], sizeof(buffer) - len);
SDL_wcslcat(buffer, videodata->ime_readingstring, size);
SDL_wcslcat(buffer, &videodata->ime_composition[len], size);
else {
SDL_wcslcpy(buffer, videodata->ime_composition, sizeof(videodata->ime_composition));
SDL_wcslcpy(buffer, videodata->ime_composition, size);
s = WIN_StringToUTF8(buffer);
SDL_SendEditingText(s, videodata->ime_cursor + SDL_wcslen(videodata->ime_readingstring), 0);
@@ -1052,7 +1055,7 @@ STDMETHODIMP UIElementSink_UpdateUIElement(TSFSink *sink, DWORD dwUIElementId)
BSTR bstr;
if (SUCCEEDED(preading->lpVtbl->GetString(preading, &bstr)) && bstr) {
WCHAR *s = (WCHAR *)bstr;
SDL_wcslcpy(videodata->ime_readingstring, s, sizeof(videodata->ime_readingstring));
SDL_wcslcpy(videodata->ime_readingstring, s, SDL_arraysize(videodata->ime_readingstring));

0 comments on commit 0890931

Please sign in to comment.