Rob Shearman : ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.
Alexandre Julliard
julliard at winehq.org
Fri Nov 20 10:48:05 CST 2009
Module: wine
Branch: master
Commit: d1db29e801f378f7310fa66ff54980368db1869b
URL: http://source.winehq.org/git/wine.git/?a=commit;h=d1db29e801f378f7310fa66ff54980368db1869b
Author: Rob Shearman <robertshearman at gmail.com>
Date: Fri Nov 20 14:37:13 2009 +0000
ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.
The string in format is nul-terminated so use memcpy to copy it into
the buffer and don't try to nul-terminate it manually which causes a
write outside of the allocated buffer length.
Fix a similar off-by-one error in CLIPFORMAT_UserUnmarshal too. This
time it is only reading from beyond the buffer.
---
dlls/ole32/usrmarshal.c | 10 ++++------
1 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/dlls/ole32/usrmarshal.c b/dlls/ole32/usrmarshal.c
index f180f42..ed31620 100644
--- a/dlls/ole32/usrmarshal.c
+++ b/dlls/ole32/usrmarshal.c
@@ -170,11 +170,9 @@ unsigned char * __RPC_USER CLIPFORMAT_UserMarshal(ULONG *pFlags, unsigned char *
pBuffer += sizeof(UINT);
*(UINT *)pBuffer = len;
pBuffer += sizeof(UINT);
- TRACE("marshaling format name %s\n", debugstr_wn(format, len-1));
- lstrcpynW((LPWSTR)pBuffer, format, len);
+ TRACE("marshaling format name %s\n", debugstr_w(format));
+ memcpy(pBuffer, format, len * sizeof(WCHAR));
pBuffer += len * sizeof(WCHAR);
- *(WCHAR *)pBuffer = '\0';
- pBuffer += sizeof(WCHAR);
}
else
{
@@ -238,11 +236,11 @@ unsigned char * __RPC_USER CLIPFORMAT_UserUnmarshal(ULONG *pFlags, unsigned char
if (*(UINT *)pBuffer != len)
RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
pBuffer += sizeof(UINT);
- if (((WCHAR *)pBuffer)[len] != '\0')
+ if (((WCHAR *)pBuffer)[len - 1] != '\0')
RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
TRACE("unmarshaling clip format %s\n", debugstr_w((LPCWSTR)pBuffer));
cf = RegisterClipboardFormatW((LPCWSTR)pBuffer);
- pBuffer += (len + 1) * sizeof(WCHAR);
+ pBuffer += len * sizeof(WCHAR);
if (!cf)
RaiseException(DV_E_CLIPFORMAT, 0, 0, NULL);
*pCF = cf;
More information about the wine-cvs
mailing list