On Tue, 9 Nov 2021 23:46:18 GMT, Michael Strauß <mstra...@openjdk.org> wrote:
>> This bug is caused by not sanity checking the data returned by a call to the >> Windows Clipboard `IDataObject::GetData` method. When requesting a file >> descriptor with a format of either `CFSTR_FILEDESCRIPTORA` or >> `CFSTR_FILEDESCRIPTORW`, which returns a list of file names, the first word >> of the returned data buffer is supposed to be the number of items that >> follow. Applications can put data on the clipboard in such a way that it >> will respond to a request to return the list of files from the clipboard >> with data that isn't formatted correctly, so we can't assume that the first >> word is a valid count. >> >> The fix is to check the returned buffer size against the item count. I added >> a regression test that fails before and passes after the fix. > > modules/javafx.graphics/src/main/native-glass/win/GlassClipboard.cpp line > 1307: > >> 1305: jsize bufferSize = me.size() - sizeof(UINT); >> 1306: if ((pdata->cItems > 0) && >> 1307: (bufferSize / pdata->cItems >= itemSize)) > > Instead of discarding all the data, have you considered reading > `min(pdata->cItems, bufferSize / itemSize)` items? I thought about it, but since failing this test means that `cItems` is invalid, there is no reason to believe that the data that follows it is any less invalid. ------------- PR: https://git.openjdk.java.net/jfx/pull/662
