internal/syscall/windows/registry: allow for non-null terminated strings

According to MSDN, "If the data has the REG_SZ, REG_MULTI_SZ or
REG_EXPAND_SZ type, this size includes any terminating null character or
characters unless the data was stored without them. [...] If the data
has the REG_SZ, REG_MULTI_SZ or REG_EXPAND_SZ type, the string may not
have been stored with the proper terminating null characters. Therefore,
even if the function returns ERROR_SUCCESS, the application should
ensure that the string is properly terminated before using it;
otherwise, it may overwrite a buffer."

It's therefore dangerous to pass it off unbounded as we do, and in fact
this led to crashes on real systems.

Change-Id: I6d786211814656f036b87fd78631466634cd764a
Reviewed-on: https://go-review.googlesource.com/c/go/+/202937
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>

diff --git a/src/internal/syscall/windows/registry/value.go b/src/internal/syscall/windows/registry/value.go
index 71d4e15bab16ea5492ab0c979d7357394ded8039..f8431d2c0f2b696662c8799cf697983f15cbb72a 100644 (file)
--- a/src/internal/syscall/windows/registry/value.go
+++ b/src/internal/syscall/windows/registry/value.go
@@ -108,7 +108,7 @@ func (k Key) GetStringValue(name string) (val string, valtype uint32, err error)
        if len(data) == 0 {
                return "", typ, nil
        }
-       u := (*[1 << 29]uint16)(unsafe.Pointer(&data[0]))[:]
+       u := (*[1 << 29]uint16)(unsafe.Pointer(&data[0]))[:len(data)/2]
        return syscall.UTF16ToString(u), typ, nil
 }