-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Memory overrun on clipboard paste operation #10590
Comments
Issue template should be used for providing the instructions to reproduce what you describe above. |
What do you meant by cannot be reproduced? It is 100% reproducible since really no size checks in the code. By the way Notepad++ has other places where it gets data from clipboard with appropriate checks but only in the three of above it doesn't. |
What is the way for me as a Notepad++ user to do this? |
No program should trust incoming data and use it without sanity checks. It's a common knowledge in the safe programming and I assume Notepad++ follows it too (or should). Do you really need a working PoC for this simple bug?
Compile and run program. What you expect to see: |
It's need no reproduction. It's already confirmed in the source code dude. |
Look at this original Notepad++ code in the file PowerEditor/src/Notepad_plus.cpp:
Seems memory overrun issue exist due interrupted work. In fact developer wanted to check the clipboard data size but forgot about it. |
I have compiled and used your POC but cannot reproduce the issue you shown. |
The bug still exists in the Notepad++ code, you logic is not a logic. :-) I found an issue in the real application (not in PoC), got Notepad++ sources, debugged it and confirmed it in the Notepad++ code, it's an unfinished written size check code (see above), fixed it in that place and other similar places, created a Git fork, committed and created a pull request to the original repository. I done all the work you should done long ago, and you rejected it, I just don't understand why. |
Notepad++ does not strictly check the data size of incoming clipboard data and relies only on the string zero terminator ( GetClipboardData() ). So if no zero terminator included into clipboard mistakenly or by evil deed Notepad++ can read a much bigger chunk of memory than expect. Showed as garbage symbols after pasted text. This can provoke even a security issues.
Suggested fix: 09fcd05
The text was updated successfully, but these errors were encountered: