__getmainargs() parses the command line from the return value of
GetCommandLineA() which uses best-fit mapping when converting the
native wide-char command line to the process code page. This can
create security issues. For example, fullwidth quotation mark (U+FF02)
may get converted to ASCII quotation mark (U+0022), which will break
argument quoting and can result in argument injection, for example,
if malicious filenames are passed as an argument to a program. There
are other security issues with best-fit mapping too.
Call __wgetmainargs() to get wide-argv and convert it to narrow-argv
without best-fit mapping. If conversion isn't lossless, print an
error message and _exit(255) without calling main() at all. While
this might not be ideal with every application, with most applications
a lossy conversion would be a "garbage in, garbage out" situation.
For example, lossy conversion of filenames doesn't make any sense.
Note that if _dowildcard is set, then filenames from wildcard expansion
can prevent the application from running if those filenames contain
characters that cannot be converted losslessly.
Setting the process code page to UTF-8 using an application manifest
would also fix the issue (apart from unpaired surrogates which are
invalid UTF-16 but legal on Windows command line and in filenames).
Setting UTF-8 in a manifest is only supported on Windows 10 version 1903
and later, and switching to UTF-8 could create new issues in some apps.
The method in this commit works on old Windows versions too. Even with
UTF-8, this commit matters because it blocks unpaired surrogates on the
command line.
The best-fit conversion issue affects a large number of applications
that use main() instead of wmain(). It's better to fix the issue at
toolchain level instead of trying to fix every application separately.
Examples of applications where this has already been reported:
- The report about the issue in curl has more technical details:
https://hackerone.com/reports/2550951
- In XZ Utils the issue was already solved by setting UTF-8 code page:
https://tukaani.org/xz/#_argument_injection_on_windows
(CVE-2024-47611)
Thanks to Orange Tsai and splitline from DEVCORE Research Team
for discovering this issue.
Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Signed-off-by: LIU Hao <lh_mouse@126.com>
Using SetThreadDescription has the advantage that on recent Visual
Studio / Windows, the thread name is always available regardless of
whether a debugger was attached, is also available in crash dumps, and
to other tools.
Quoting MSDN at Set a thread name in C/C++:
https://learn.microsoft.com/en-us/visualstudio/debugger/tips-for-debugging-threads?view=vs-2022&tabs=csharp#set-a-thread-name-in-cc
> There are two ways to set a thread name. The first is via the
> SetThreadDescription function. The second is by throwing a
> particular exception while the Visual Studio debugger is attached to
> the process. Each approach has benefits and caveats. The use of
> SetThreadDescription is supported starting in Windows 10 version
> 1607 or Windows Server 2016.
>
> It's worth noting that both approaches can be used together, if
> desired, since the mechanisms by which they work are independent of
> each other.
Signed-off-by: Antonin Décimo <antonin@tarides.com>
Signed-off-by: LIU Hao <lh_mouse@126.com>
This commit moves `__mingw_has_sse()` to a separate file, and makes its
result cacheable.
SSE is required for x86-64, and can be enabled for x86-32 by passing `-msse`
to GCC. On ARM and ARM64 it's always absent. A macro is defined if it would
be known to return a constant.
Co-authored-by: Morilli <molli.bender@gmail.com>
Signed-off-by: LIU Hao <lh_mouse@126.com>
Fix ULongToChar to return -1 on overflow, like it does in the SDK.
Fix LongLongToUIntPtr and LongLongToULongPtr so they work on 32-bit.
Remove about 150 macros added this year that just redefine an existing function.
Signed-off-by: Jacek Caban <jacek@codeweavers.com>
45629c13ef added this macro in tbs.h, causing
a warning about redefinition:
mingw-w64-headers/include/tbs.h:63: warning: "TBS_SUCCESS" redefined
63 | #define TBS_SUCCESS 0
No Windows SDK has this macro in winerror.h, so this macro in winerror.h
should be removed, and the one in tbs.h is preferred.
Signed-off-by: LIU Hao <lh_mouse@126.com>
The _l suffixed wchar ctype functions, such as _iswalpha_l,
are available in msvcrt.dll, but only since Vista. They're also
available in the properly versioned msvcrt versions since
msvcr80.dll.
This fixes building libc++ for msvcrt.dll, after the recent
changes in f1df976e39.
Signed-off-by: Martin Storsjö <martin@martin.st>
Now this file contains only tzset() and _tzset() functions and
tzname/timezone/daylight global variables.
Signed-off-by: Martin Storsjö <martin@martin.st>
Also add missing __MINGW_ATTRIB_NORETURN attribute into header file
internal.h where is function _amsg_exit() declared.
Signed-off-by: Martin Storsjö <martin@martin.st>
Pre-msvcr80.dll builds, including msvcrt.dll builds use _get_output_format()
implementation from mingw-w64 output_format.c source file. Use it also for
UCRT builds instead of current stub in ucrt_compat.c.
Signed-off-by: Martin Storsjö <martin@martin.st>
These functions and macros were added in MSVCR80.DLL and were not available
in MSVCRT.DLL from Windows XP.
This closes https://github.com/mingw-w64/mingw-w64/issues/60.
Signed-off-by: LIU Hao <lh_mouse@126.com>
For more D2DERR_* macros defined in d2derr.h, warnings is:
In file included from mingw-w64-headers/include/d2d1.h:20,
from mingw-w64-headers/include/d2d1_1.h:10,
from libsrc/uuid.c:29:
mingw-w64-headers/include/d2derr.h:16: warning: "D2DERR_BAD_NUMBER" redefined
#define D2DERR_BAD_NUMBER 0x88990011
In file included from mingw-w64-headers/include/winbase.h:2816,
from mingw-w64-headers/include/windows.h:70,
from mingw-w64-headers/include/rpc.h:16,
from mingw-w64-headers/include/credentialprovider.h:7,
from libsrc/uuid.c:17:
mingw-w64-headers/include/winerror.h:4713: note: this is the location of the previous definition
#define D2DERR_BAD_NUMBER _HRESULT_TYPEDEF_(0x88990011)
Add guards in winerror.h and d2derr.h to not define same macros multiple times.
Signed-off-by: LIU Hao <lh_mouse@126.com>
Header file sys/timeb_s.h defines _ftime_s only as a macro which expands
either to _ftime32_s or _ftime64_s based on _USE_32BIT_TIME_T setting.
MS VC++ 2005+ header files also defines only _ftime_s as a macro and do not
provide any _ftime_s function declaration or symbol alias in import library.
_ftime_s symbol alias is currently defined only in mingw-w64 msvcrt.def.in
file, not in any other .def file, neither in UCRT ones.
So _ftime_s symbol alias is not needed in msvcrt.def.in file, remove it.
Signed-off-by: Martin Storsjö <martin@martin.st>
This fixes the following compiler error with gecko.
mozilla-unified/widget/windows/ToastNotification.cpp:832:14: error: no matching member function for call to 'Set'
832 | hr = aumid.Set(mAumid.ref().get());
| ~~~~~~^~~
corewrappers.h:58:25: note: candidate function not viable: no known conversion from
'typename raw_type<char16_t, int>::type' (aka 'char16ptr_t') to 'const HSTRING' (aka 'HSTRING__ *const') for 1st argument
corewrappers.h:53:25: note: candidate function not viable: requires 2 arguments, but 1 was provided
Signed-off-by: Biswapriyo Nath <nathbappai@gmail.com>
Signed-off-by: LIU Hao <lh_mouse@126.com>