Alexandre Julliard : kernel32: Fix handling of overflows in GetPrivateProfileSectionA.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 362ecd06f6abc2d1296c4ba2aa522825d2fe7c35
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=362ecd06f6abc2d1296c4ba2aa522825d2fe7c35

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Thu Oct  8 16:28:17 2009 +0200

kernel32: Fix handling of overflows in GetPrivateProfileSectionA.

---

 dlls/kernel32/profile.c       |   14 +++++++-------
 dlls/kernel32/tests/profile.c |    8 ++++++++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/dlls/kernel32/profile.c b/dlls/kernel32/profile.c
index 8a787da..aa223c7 100644
--- a/dlls/kernel32/profile.c
+++ b/dlls/kernel32/profile.c
@@ -1386,23 +1386,23 @@ INT WINAPI GetPrivateProfileSectionA( LPCSTR section, LPSTR buffer,
         return 0;
     }
 
-    bufferW = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
+    bufferW = HeapAlloc(GetProcessHeap(), 0, len * 2 * sizeof(WCHAR));
     RtlCreateUnicodeStringFromAsciiz(&sectionW, section);
     if (filename) RtlCreateUnicodeStringFromAsciiz(&filenameW, filename);
     else filenameW.Buffer = NULL;
 
-    retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len, filenameW.Buffer);
-    if (len > 2)
+    retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len * 2, filenameW.Buffer);
+    if (retW)
     {
+        if (retW == len * 2 - 2) retW++;  /* overflow */
         ret = WideCharToMultiByte(CP_ACP, 0, bufferW, retW + 1, buffer, len, NULL, NULL);
-        if (ret > 2)
-            ret -= 1;
-        else
+        if (!ret || ret == len)  /* overflow */
         {
-            ret = 0;
+            ret = len - 2;
             buffer[len-2] = 0;
             buffer[len-1] = 0;
         }
+        else ret--;
     }
     else
     {
diff --git a/dlls/kernel32/tests/profile.c b/dlls/kernel32/tests/profile.c
index a1bf967..e3f7156 100644
--- a/dlls/kernel32/tests/profile.c
+++ b/dlls/kernel32/tests/profile.c
@@ -236,6 +236,14 @@ static void test_profile_sections(void)
         broken(GetLastError() == 0xdeadbeef), /* Win9x, WinME */
         "expected ERROR_SUCCESS, got %d\n", GetLastError());
 
+    /* Overflow*/
+    ret=GetPrivateProfileSectionA("section1", buf, 24, testfile4);
+    for( p = buf + strlen(buf) + 1; *p;p += strlen(p)+1)
+        p[-1] = ',';
+    ok( ret == 22 && !strcmp( buf, "name1=val1,name2=,name"), "wrong section returned(%d): %s\n",
+        ret, buf);
+    ok( buf[ret] == 0 && buf[ret+1] == 0, "returned buffer not terminated with double-null\n" );
+
     DeleteFileA( testfile4 );
 }