From 808aa08cc0b68ec2640f7b3be6759c803f5cdb34 Mon Sep 17 00:00:00 2001 From: James Ross-Gowan Date: Tue, 7 Jan 2014 23:26:26 +1100 Subject: w32: use safe DLL search paths everywhere Windows applications that use LoadLibrary are vulnerable to DLL preloading attacks if a malicious DLL with the same name as a system DLL is placed in the current directory. mpv had some code to avoid this in ao_wasapi.c. This commit just moves it to main.c, since there's no reason it can't be used process-wide. This change can affect how plugins are loaded in AviSynth, but it shouldn't be a problem since MPC-HC also does this and it's a very popular AviSynth client. --- audio/out/ao_wasapi.c | 17 ----------------- player/main.c | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/audio/out/ao_wasapi.c b/audio/out/ao_wasapi.c index 3d0d1ddf3d..7729eb2bda 100644 --- a/audio/out/ao_wasapi.c +++ b/audio/out/ao_wasapi.c @@ -36,10 +36,6 @@ #include "misc/ring.h" #include "ao.h" -#ifndef BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE -#define BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE 0x00000001 -#endif - #ifndef PKEY_Device_FriendlyName DEFINE_PROPERTYKEY(PKEY_Device_FriendlyName, 0xa45c254e, 0xdf1c, 0x4efd, 0x80, 0x20, @@ -136,17 +132,6 @@ static int fill_VistaBlob(wasapi_state *state) { if (!state) return 1; - HMODULE hkernel32 = GetModuleHandleW(L"kernel32.dll"); - if (!hkernel32) - return 1; - WINBOOL (WINAPI *pSetDllDirectory)(LPCWSTR lpPathName) = - (WINBOOL (WINAPI *)(LPCWSTR))GetProcAddress(hkernel32, "SetDllDirectoryW"); - WINBOOL (WINAPI *pSetSearchPathMode)(DWORD Flags) = - (WINBOOL (WINAPI *)(DWORD))GetProcAddress(hkernel32, "SetSearchPathMode"); - if (pSetSearchPathMode) - pSetDllDirectory(L""); /* Attempt to use safe search paths */ - if (pSetSearchPathMode) - pSetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE); state->VistaBlob.hAvrt = LoadLibraryW(L"avrt.dll"); if (!state->VistaBlob.hAvrt) goto exit_label; @@ -160,8 +145,6 @@ static int fill_VistaBlob(wasapi_state *state) exit_label: if (state->VistaBlob.hAvrt) FreeLibrary(state->VistaBlob.hAvrt); - if (pSetSearchPathMode) - pSetDllDirectory(NULL); return 1; } diff --git a/player/main.c b/player/main.c index 2c93a67ca6..4c27ec3e19 100644 --- a/player/main.c +++ b/player/main.c @@ -78,6 +78,14 @@ #if defined(__MINGW32__) || defined(__CYGWIN__) #include + +#ifndef BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE +#define BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE (0x0001) +#endif + +#ifndef BASE_SEARCH_PATH_PERMANENT +#define BASE_SEARCH_PATH_PERMANENT (0x8000) +#endif #endif const char mp_help_text[] = @@ -264,6 +272,19 @@ static void osdep_preinit(int *p_argc, char ***p_argv) // Enable heap corruption detection HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0); + + HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll"); + WINBOOL (WINAPI *pSetDllDirectory)(LPCWSTR lpPathName) = + (WINBOOL (WINAPI *)(LPCWSTR))GetProcAddress(kernel32, "SetDllDirectoryW"); + WINBOOL (WINAPI *pSetSearchPathMode)(DWORD Flags) = + (WINBOOL (WINAPI *)(DWORD))GetProcAddress(kernel32, "SetSearchPathMode"); + + // Always use safe search paths for DLLs and other files, ie. never use the + // current directory + if (pSetSearchPathMode) + pSetDllDirectory(L""); + if (pSetSearchPathMode) + pSetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE); #endif terminal_init(); -- cgit v1.2.3