ole32: Fix invalid memory access in storage32
Nathan Gallaher
ngallaher at deepthought.org
Sun Dec 6 07:36:31 CST 2009
In StorageImpl_construct():
For pwcsName strings shorter than DIRENTRY_NAME_BUFFER_LEN-1, an invalid
read would be noted by valgrind as the memcpy wanders off the end of the
string. Do the needful to calculate the required string length.
-------------- next part --------------
From 4334decbcf4d6ba427906c1e470e49672dc23fdc Mon Sep 17 00:00:00 2001
From: Nathan Gallaher <ngallaher at deepthought.org>
Date: Sun, 6 Dec 2009 08:30:06 -0500
Subject: ole32: Fix invalid memory access in storage32
For pwcsName strings shorter than DIRENTRY_NAME_BUFFER_LEN-1, an invalid
read would be noted by valgrind as the memcpy wanders off the end of the
string. Do the needful to calculate the required string length.
---
dlls/ole32/storage32.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/dlls/ole32/storage32.c b/dlls/ole32/storage32.c
index 384722d..6c6fc13 100644
--- a/dlls/ole32/storage32.c
+++ b/dlls/ole32/storage32.c
@@ -2268,6 +2268,7 @@ static HRESULT StorageImpl_Construct(
This->hFile = hFile;
if(pwcsName) {
+ int filenameLength;
This->pwcsName = HeapAlloc(GetProcessHeap(), 0,
(lstrlenW(pwcsName)+1)*sizeof(WCHAR));
if (!This->pwcsName)
@@ -2277,8 +2278,10 @@ static HRESULT StorageImpl_Construct(
}
strcpyW(This->pwcsName, pwcsName);
- memcpy(This->base.filename, pwcsName, DIRENTRY_NAME_BUFFER_LEN-1);
- This->base.filename[DIRENTRY_NAME_BUFFER_LEN-1] = 0;
+ filenameLength = min(lstrlenW(pwcsName)*sizeof(WCHAR),
+ DIRENTRY_NAME_BUFFER_LEN-1);
+ memcpy(This->base.filename, pwcsName, filenameLength);
+ This->base.filename[filenameLength] = 0;
}
/*
--
1.6.0.4
More information about the wine-patches
mailing list