comctl32: tooltips: avoid buffer overrun (spotted by hto@mail.cnt.ru, bug #8361), make sure some strings are NUL-terminated

Alexandre Julliard julliard at winehq.org
Thu Jul 19 06:01:00 CDT 2007


Mikołaj Zalewski <mikolaj at zalewski.pl> writes:

> @@ -389,10 +390,10 @@ static void TOOLTIPS_GetDispInfoW(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
>                  sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : INFOTIPSIZE-1;
>          lstrcpynW(infoPtr->szTipText, ttnmdi.lpszText, max_len);
>          if (ttnmdi.uFlags & TTF_DI_SETITEM) {
> -            INT len = max(strlenW(ttnmdi.lpszText), max_len);
> +            INT len = min(strlenW(ttnmdi.lpszText), max_len);

It the text is really allowed to not be null-terminated then calling
strlenW on it is wrong in any case. It does seem surprising though,
are you sure we really need to support this?

-- 
Alexandre Julliard
julliard at winehq.org



More information about the wine-devel mailing list