Fix buffer overflow in the ANSI boot.config redirect hook#106
Merged
ManlyMarco merged 2 commits intoJun 22, 2026
Merged
Conversation
create_file_hook_narrow memcpy'd the override path into the caller's lpFileName buffer, overflowing it when the override is longer than the original path. Point actual_file_name at our own narrowed buffer (mirroring create_file_hook) and free it after the CreateFileA call.
ManlyMarco
reviewed
Jun 22, 2026
Comment on lines
+118
to
+120
| // Point at our own override buffer (mirrors create_file_hook). The old | ||
| // memcpy wrote the override into the caller's lpFileName buffer, which | ||
| // overflows it whenever the override path is longer than the original. |
Collaborator
There was a problem hiding this comment.
Comments shouldn't reference replaced code and explain why it was changed, this should be in the commit or PR description instead. Code comments should exclusively refer to the current code and its behavior.
Collaborator
There was a problem hiding this comment.
I think it can just be removed since it offers no insight into what the code is doing currently.
Suggested change
| // Point at our own override buffer (mirrors create_file_hook). The old | |
| // memcpy wrote the override into the caller's lpFileName buffer, which | |
| // overflows it whenever the override path is longer than the original. |
ManlyMarco
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
create_file_hook_narrowmemcpy'd the boot.config override into the caller'slpFileNamebuffer, overflowing it when the override path is longer than the original — an out-of-bounds write into the game's memory.Fix
Point
actual_file_nameat our own narrowed override buffer (mirroring the widecreate_file_hook) and free it after theCreateFileAcall, instead of writing into the caller's buffer.Fixes #105