Fix memory overread in registry.rb

The terminator is not actually getting filled in; we're simply passing (two) bytes of empty memory as the NUL terminator. This can lead to garbage characters getting written to registry values. Fix this by explicitly putting a WCHAR_NUL character into the string to be sent to the registry API, like we do in the MULTI_SZ case. [Bug #20096]
ruby · Dec 28, 2023 · 051a874 · 051a874
1 parent 67026af
commit 051a874
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/ext/win32/lib/win32/registry.rb b/ext/win32/lib/win32/registry.rb
@@ -740,14 +740,11 @@ def read_bin(name)
     # method returns.
     #
     def write(name, type, data)
-      termsize = 0
       case type
       when REG_SZ, REG_EXPAND_SZ
-        data = data.encode(WCHAR)
-        termsize = WCHAR_SIZE
+        data = data.encode(WCHAR) << WCHAR_NUL
       when REG_MULTI_SZ
         data = data.to_a.map {|s| s.encode(WCHAR)}.join(WCHAR_NUL) << WCHAR_NUL
-        termsize = WCHAR_SIZE
       when REG_BINARY, REG_NONE
         data = data.to_s
       when REG_DWORD
@@ -759,7 +756,7 @@ def write(name, type, data)
       else
         raise TypeError, "Unsupported type #{Registry.type2name(type)}"
       end
-      API.SetValue(@hkey, name, type, data, data.bytesize + termsize)
+      API.SetValue(@hkey, name, type, data, data.bytesize)
     end
 
     #