From d6857037170a755ae2a704bfd3a02f86c0b8eb21 Mon Sep 17 00:00:00 2001
From: Xavier Roche <xroche@users.noreply.github.com>
Date: Mon, 29 Apr 2013 16:39:16 +0000
Subject: Fixed possible DLL local injection on Windows due to broken
 LoadLibrary() API (CVE-2010-5252)

---
 src/htsmodules.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/htsmodules.c')

diff --git a/src/htsmodules.c b/src/htsmodules.c
index f2524b7..ea75a7f 100644
--- a/src/htsmodules.c
+++ b/src/htsmodules.c
@@ -251,7 +251,17 @@ void htspe_init(void) {
   static int initOk = 0;
   if (!initOk) {
     initOk = 1;
-    
+
+    /* See CVE-2010-5252 */
+#if (defined(_WIN32) && (!defined(_DEBUG)))
+    /* See KB 2389418
+     "If this parameter is an empty string (""), the call removes the 
+     current directory from the default DLL search order" */
+    if (!SetDllDirectory("")) {
+      assertf(! "SetDllDirectory failed");
+    }
+#endif
+ 
     /* Zlib is now statically linked */
     gz_is_available = 1;
 
-- 
cgit v1.2.3