wrc fix from bugzilla
Francois Gouget
fgouget at free.fr
Mon Nov 5 18:40:23 CST 2001
Changelog:
* tools/wrc/writeres.c
Fix a buffer overflow in write_name_str
Bug found by jonathan at corvu.com.au, see bug 352
The error message was saying "65534 bytes" but in fact the field
counts characters so the limit corresponds to a number of characters. I
kind of wonder why this would not be 65535 since the terminating '\0' is
not counted in that field but I will take it that 65535 has a special
meaning.
http://wine.codeweavers.com/bugs/show_bug.cgi?id=352
--
Francois Gouget fgouget at free.fr http://fgouget.free.fr/
The nice thing about meditation is that it makes doing nothing quite respectable
-- Paul Dean
-------------- next part --------------
Index: tools/wrc/writeres.c
===================================================================
RCS file: /home/wine/wine/tools/wrc/writeres.c,v
retrieving revision 1.19
diff -u -r1.19 writeres.c
--- tools/wrc/writeres.c 2000/11/11 00:38:37 1.19
+++ tools/wrc/writeres.c 2001/11/05 20:35:16
@@ -229,7 +229,7 @@
if(res.size == 0)
internal_error(__FILE__, __LINE__, "Attempt to write empty string");
res.dataidx = 0;
- res.data = (char *)xmalloc(res.size + 1);
+ res.data = (char *)xmalloc(1 + res.size + 1);
res.data[0] = (char)res.size;
res.size++; /* We need to write the length byte as well */
strcpy(res.data+1, nid->name.s_name->str.cstr);
@@ -264,11 +264,11 @@
{
res.size = strlenW(nid->name.s_name->str.wstr);
if(res.size > 65534)
- error("Can't write strings larger than 65534 bytes");
+ error("Can't write strings larger than 65534 characters");
if(res.size == 0)
internal_error(__FILE__, __LINE__, "Attempt to write empty string");
res.dataidx = 0;
- res.data = (char *)xmalloc((res.size + 1) * 2);
+ res.data = (char *)xmalloc(2 + (res.size + 1) * 2);
((short *)res.data)[0] = (short)res.size;
strcpyW((WCHAR *)(res.data+2), nid->name.s_name->str.wstr);
res.size *= 2; /* Function writes bytes, not shorts... */
More information about the wine-patches
mailing list