Fixed possible DLL local injection on Windows due to broken LoadLibrary() API (CVE-2010-5252)

author: Xavier Roche <xroche@users.noreply.github.com> 2013-04-29 16:39:16 +0000
committer: Xavier Roche <xroche@users.noreply.github.com> 2013-04-29 16:39:16 +0000
commit: d6857037170a755ae2a704bfd3a02f86c0b8eb21 (patch)
tree: 2b7fd6da46c1b0911d0032b2aa9b4cc468d14fe8 /src/htsmodules.c
parent: 117c43f3e67893449b6d95cc09255f192e010138 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/src/htsmodules.c b/src/htsmodules.c
index f2524b7..ea75a7f 100644
--- a/src/htsmodules.c
+++ b/src/htsmodules.c
@@ -251,7 +251,17 @@ void htspe_init(void) {
   static int initOk = 0;
   if (!initOk) {
     initOk = 1;
-    
+
+    /* See CVE-2010-5252 */
+#if (defined(_WIN32) && (!defined(_DEBUG)))
+    /* See KB 2389418
+     "If this parameter is an empty string (""), the call removes the 
+     current directory from the default DLL search order" */
+    if (!SetDllDirectory("")) {
+      assertf(! "SetDllDirectory failed");
+    }
+#endif
+ 
     /* Zlib is now statically linked */
     gz_is_available = 1;
author	Xavier Roche <xroche@users.noreply.github.com>	2013-04-29 16:39:16 +0000
committer	Xavier Roche <xroche@users.noreply.github.com>	2013-04-29 16:39:16 +0000
commit	d6857037170a755ae2a704bfd3a02f86c0b8eb21 (patch)
tree	2b7fd6da46c1b0911d0032b2aa9b4cc468d14fe8 /src/htsmodules.c
parent	117c43f3e67893449b6d95cc09255f192e010138 (diff)