I am trying to understand how the very old vulnerability MS08-067 works. I found a code example http://www.phreedom.org/blog/2008/decompiling-ms08-067/.
Debugging this code shows me that below function could overruns the stack:
Below screenshot shows status of local vars when the overflow happens:
What confuses me is:
wcspy copies the content from
&p is part of
previous_slash, so its length is shorter. How could the overflow happen when the content for triggering overflow is shorter than the length of dst buffer?