On Tue, 9 Nov 2021 16:57:58 GMT, Kevin Rushforth <k...@openjdk.org> wrote:
> This bug is caused by not sanity checking the data returned by a call to the > Windows Clipboard `IDataObject::GetData` method. When requesting a file > descriptor with a format of either `CFSTR_FILEDESCRIPTORA` or > `CFSTR_FILEDESCRIPTORW`, which returns a list of file names, the first word > of the returned data buffer is supposed to be the number of items that > follow. Applications can put data on the clipboard in such a way that it will > respond to a request to return the list of files from the clipboard with data > that isn't formatted correctly, so we can't assume that the first word is a > valid count. > > The fix is to check the returned buffer size against the item count. I added > a regression test that fails before and passes after the fix. This pull request has now been integrated. Changeset: effcc866 Author: Kevin Rushforth <k...@openjdk.org> URL: https://git.openjdk.java.net/jfx/commit/effcc86667f0ed7cf2899384fbc5fd97b8c9f7b5 Stats: 115 lines in 3 files changed: 111 ins; 0 del; 4 mod 8274929: Crash while reading specific clipboard content Reviewed-by: mstrauss, arapte, pbansal ------------- PR: https://git.openjdk.java.net/jfx/pull/662