Skip to content

fix(clipboard): potential OOB#63

Open
fufesou wants to merge 1 commit into
masterfrom
fix/clipboard-OOB
Open

fix(clipboard): potential OOB#63
fufesou wants to merge 1 commit into
masterfrom
fix/clipboard-OOB

Conversation

@fufesou

@fufesou fufesou commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Make Windows CLIPRDR format-list mapping growth checked and bounded.

The previous map_ensure_capacity() helper was best-effort: it attempted to grow format_mappings, but returned void. If realloc() failed, the caller kept processing the peer-provided format list. A later iteration could then index past the allocated mapping array.

Changes

  • Validate the peer-provided numFormats before processing.
  • Ensure format_mappings has enough capacity before writing entries.
  • Make map_ensure_capacity() return failure to the caller.
  • Abort format-list processing when capacity growth fails.
  • Check allocation-size overflow before resizing.
  • Zero newly allocated mapping slots, so cleanup is safe after partial handling.
  • Reject malformed lists where numFormats > 0 but formats == NULL.
  • Bound remote format names before measuring/converting them.

Summary by CodeRabbit

  • Bug Fixes
    • Improved clipboard redirection reliability on Windows by adding stricter validation for incoming clipboard formats and names.
    • Added limits to prevent oversized clipboard format lists and overly long format names from causing failures.
    • Safer clipboard format handling now avoids invalid memory growth and handles malformed clipboard data more defensively.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@fufesou, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 903d8735-2977-4634-a484-125893375380

📥 Commits

Reviewing files that changed from the base of the PR and between f1e3dc2 and 4b3375b.

📒 Files selected for processing (1)
  • libs/clipboard/src/windows/wf_cliprdr.c

Walkthrough

wf_cliprdr.c gains two guard macros capping clipboard format count and format-name byte length, a bounded wf_cliprdr_bounded_strlen helper, a refactored map_ensure_capacity that validates inputs, enforces limits, and returns BOOL, and a hardened wf_cliprdr_server_format_list that validates numFormats, uses the new bounded helpers, and rejects overlong names.

Clipboard Format List Hardening

Layer / File(s) Summary
Guard constants and bounded strlen helper
libs/clipboard/src/windows/wf_cliprdr.c
Adds WF_CLIPRDR_MAX_FORMATS and WF_CLIPRDR_MAX_FORMAT_NAME_BYTES macros, and implements wf_cliprdr_bounded_strlen that caps string measurement at a given limit.
Bounded map_ensure_capacity refactor
libs/clipboard/src/windows/wf_cliprdr.c
Replaces the void auto-growing function with a BOOL version that checks for null, enforces WF_CLIPRDR_MAX_FORMATS, guards against size_t overflow, reallocates to exact requested capacity, and zero-initializes new slots.
Hardened server format-list handler
libs/clipboard/src/windows/wf_cliprdr.c
wf_cliprdr_server_format_list now validates numFormats against the cap, requires a non-null formats pointer when numFormats > 0, calls the new map_ensure_capacity up front, measures each format name with the bounded helper, rejects overlong names by clearing the map, converts UTF-8 to UTF-16 using the bounded length, and removes the old unconditional per-loop growth call.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 A bunny once found a clipboard so wide,
With names that stretched endlessly, side after side.
"No more!" cried the rabbit, and added a cap,
A bounded strlen tucked snug in a wrap.
Now formats stay tidy, no buffer goes boom —
The clipboard is safe in its cozy hutch room. 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the clipboard out-of-bounds hardening work and summarizes the main fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/clipboard-OOB

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@fufesou fufesou force-pushed the fix/clipboard-OOB branch from c1fe84d to f1e3dc2 Compare June 30, 2026 12:51
@fufesou fufesou force-pushed the fix/clipboard-OOB branch from f1e3dc2 to 93ca9bb Compare June 30, 2026 13:11
The Windows CLIPRDR format-list handler relies on map_ensure_capacity()
while processing peer-provided formats. The previous helper only attempted
growth: if realloc() failed, it returned silently and the caller continued
processing. A later iteration could then index past the allocated
format_mappings array.

Make format-map growth a checked operation. The handler now validates the
peer-provided format count, ensures the mapping array is large enough before
writing entries, and aborts processing if growth fails. Newly allocated slots
are zeroed so existing cleanup can safely run after partial processing.

Also bound remote format names before measuring/converting them. The chosen
limits follow Windows clipboard/atom constraints:
  - registered clipboard format IDs use 0xC000..0xFFFF
  - string atom names are limited to 255 bytes

Signed-off-by: fufesou <linlong1266@gmail.com>
@fufesou fufesou force-pushed the fix/clipboard-OOB branch from 93ca9bb to 4b3375b Compare June 30, 2026 13:23
@fufesou

fufesou commented Jun 30, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@fufesou

fufesou commented Jun 30, 2026

Copy link
Copy Markdown
Owner Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep it up!

Reviewed commit: 4b3375b479

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant