comctl32: tooltips: avoid buffer overrun (spotted by [email protected], bug #8361), make sure some strings are NUL-terminated

Mikołaj Zalewski mikolaj at zalewski.pl
Wed Jul 18 17:03:11 CDT 2007


-------------- next part --------------
From 8aaba1a9580546772c8dbefe1f631c3861bd1fe8 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Miko=C5=82aj_Zalewski?= <mikolaj at zalewski.pl>
Date: Wed, 11 Jul 2007 23:02:31 +0200
Subject: [PATCH] comctl32: tooltips: avoid buffer overrun (spotted by hto at mail.cnt.ru, bug #8361), make sure some strings are NUL-terminated

---
 dlls/comctl32/tooltips.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/dlls/comctl32/tooltips.c b/dlls/comctl32/tooltips.c
index 4e11c5c..73af45b 100644
--- a/dlls/comctl32/tooltips.c
+++ b/dlls/comctl32/tooltips.c
@@ -340,12 +340,13 @@ static void TOOLTIPS_GetDispInfoA(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
                 sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : -1;
         MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, max_len,
                             infoPtr->szTipText, INFOTIPSIZE);
+        infoPtr->szTipText[INFOTIPSIZE - 1] = 0; /* make sure the string is NUL-terminated */
         if (ttnmdi.uFlags & TTF_DI_SETITEM) {
             INT len = MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText,
 					  max_len, NULL, 0);
             toolPtr->hinst = 0;
-            toolPtr->lpszText =	Alloc (len * sizeof(WCHAR));
-            MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, -1,
+            toolPtr->lpszText = Alloc((len+1) * sizeof(WCHAR));
+            MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, max_len,
                                 toolPtr->lpszText, len);
         }
     }
@@ -389,10 +390,10 @@ static void TOOLTIPS_GetDispInfoW(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
                 sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : INFOTIPSIZE-1;
         lstrcpynW(infoPtr->szTipText, ttnmdi.lpszText, max_len);
         if (ttnmdi.uFlags & TTF_DI_SETITEM) {
-            INT len = max(strlenW(ttnmdi.lpszText), max_len);
+            INT len = min(strlenW(ttnmdi.lpszText), max_len);
             toolPtr->hinst = 0;
-            toolPtr->lpszText =	Alloc ((len+1) * sizeof(WCHAR));
-            memcpy(toolPtr->lpszText, ttnmdi.lpszText, (len+1) * sizeof(WCHAR));
+            toolPtr->lpszText = Alloc((len+1) * sizeof(WCHAR));
+            lstrcpynW(toolPtr->lpszText, ttnmdi.lpszText, len + 1);
         }
     }
     else {
-- 
1.4.4.2


More information about the wine-patches mailing list