From b38d47e94cf6848dddeaa7aa50301456130715a9 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 6 Jul 2019 19:11:56 +0100
Subject: [PATCH] winpgntc: check the length field in agent responses.

If the agent sent a response whose length field describes an interval
of memory larger than the file-mapping object the message is supposed
to be stored in, we shouldn't return that message to the client as if
nothing is wrong. Treat that the same as a failure to receive any
response at all.
---
 windows/winpgntc.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/windows/winpgntc.c b/windows/winpgntc.c
index db1cda6f..05608831 100644
--- a/windows/winpgntc.c
+++ b/windows/winpgntc.c
@@ -109,13 +109,24 @@ agent_pending_query *agent_query(
      */
     id = SendMessage(hwnd, WM_COPYDATA, (WPARAM) NULL, (LPARAM) &cds);
     if (id > 0) {
-	retlen = 4 + GET_32BIT_MSB_FIRST(p);
-	ret = snewn(retlen, unsigned char);
-	if (ret) {
+        uint32_t length_field = GET_32BIT_MSB_FIRST(p);
+        if (length_field > 0 && length_field <= AGENT_MAX_MSGLEN - 4) {
+            retlen = length_field + 4;
+            ret = snewn(retlen, unsigned char);
 	    memcpy(ret, p, retlen);
-	    *out = ret;
-	    *outlen = retlen;
-	}
+            *out = ret;
+            *outlen = retlen;
+        } else {
+            /*
+             * If we get here, we received an out-of-range length
+             * field, either without space for a message type code or
+             * overflowing the FileMapping.
+             *
+             * Treat this as if Pageant didn't answer at all - which
+             * actually means we do nothing, and just don't fill in
+             * out and outlen.
+             */
+        }
     }
     UnmapViewOfFile(p);
     CloseHandle(filemap);