Fix issues found by auditing w32notify code

* src/w32inevt.c (handle_file_notifications): Count the number of
events to be returned.
* src/w32notify.c (send_notifications): Don't copy to the file
notification buffer more than it can hold.  (Bug#22534)

diff --git a/src/w32inevt.c b/src/w32inevt.c
index 54b0b13f54e0d859efd2b48c1c2ab08f784b2d99..e714e27f4bc0c1aa2b14d08682c8459c0c46ae39 100644 (file)
--- a/src/w32inevt.c
+++ b/src/w32inevt.c
@@ -660,6 +660,7 @@ handle_file_notifications (struct input_event *hold_quit)
              inev.arg = list3 (make_pointer_integer (notifications_desc),
                                action, fname);
              kbd_buffer_store_event_hold (&inev, hold_quit);
+             nevents++;
 
              if (!fni->NextEntryOffset)
                break;

diff --git a/src/w32notify.c b/src/w32notify.c
index 576cf844dab03e78f75afc35ad40197e19f443b0..71787c45db895017e452786412ad96ab8e29c8e5 100644 (file)
--- a/src/w32notify.c
+++ b/src/w32notify.c
@@ -144,8 +144,9 @@ send_notifications (BYTE *info, DWORD info_size, void *desc,
       if (!notification_buffer_in_use)
        {
          if (info_size)
-           memcpy (file_notifications, info, info_size);
-         notifications_size = info_size;
+           memcpy (file_notifications, info,
+                   min (info_size, sizeof (file_notifications)));
+         notifications_size = min (info_size, sizeof (file_notifications));
          notifications_desc = desc;
          /* If PostMessage fails, the message queue is full.  If that
             happens, the last thing they will worry about is file