nasty NTDLL_vsnwprintf bug?!?

[John K. Hohm]

My heap corruption problem turned out to be a bug in swprintf (well,
really in NTDLL_vsnwprintf), I think.  I tried formatting like this:

	WCHAR keyname[21] = { 'C', 'o', 'm', 'p', 'o', 'n', 'e', 'n',
			      't', ' ', 'C', 'a', 't', 'e', 'g', 'o',
			      'r', 'i', 'e', 's', 0 };
	WCHAR fmt[4] = { '%', 'l', 'X', 0 };
	swprintf(This->xlcid, fmt, lcid);

My poor little WCHAR xlcid[9] member of This was seriously overflowed by
the string L"409Component Categories".  The following patch fixes what
appears to be a format reading bug in NTDLL_vsnwprintf.  I didn't just
send it to wine-patches because it's not my area and it seems unlikely
such a bad bug could hang around in such a function.  Then again, I don't
see many uses of swprintf in the source; should I be using something
better for sprintf's of WCHAR's?

--- dlls/ntdll/wcstring.c.~1.15.~	Thu May 16 19:59:27 2002
+++ dlls/ntdll/wcstring.c	Fri May 17 23:09:21 2002
@@ -451,10 +451,7 @@
       }
       if (*iter == (WCHAR)L'h' ||
           *iter == (WCHAR)L'l')
-      {
           *fmta++ = *iter++;
-          *fmta++ = *iter++;
-      }

       switch (*iter)
       {