[PATCH] user32: fixed single byte array overflow

Marcus Meissner marcus at jet.franken.de
Fri Sep 9 17:40:07 CDT 2011


Hi,

number apparently needs 1 byte larger (terminating \0 I guess)
to fill %I64u of -1.

Spotted by -fstack-protector.

Ciao, Marcus
---
 dlls/user32/wsprintf.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/user32/wsprintf.c b/dlls/user32/wsprintf.c
index fe20536..5e618d6 100644
--- a/dlls/user32/wsprintf.c
+++ b/dlls/user32/wsprintf.c
@@ -316,7 +316,7 @@ static INT wvsnprintfA( LPSTR buffer, UINT maxlen, LPCSTR spec, __ms_va_list arg
     WPRINTF_FORMAT format;
     LPSTR p = buffer;
     UINT i, len, sign;
-    CHAR number[20];
+    CHAR number[21]; /* 64bit number can be 18446744073709551616 which is 20 chars. and a \0 */
     WPRINTF_DATA argData;
 
     TRACE("%p %u %s\n", buffer, maxlen, debugstr_a(spec));
@@ -421,7 +421,7 @@ static INT wvsnprintfW( LPWSTR buffer, UINT maxlen, LPCWSTR spec, __ms_va_list a
     WPRINTF_FORMAT format;
     LPWSTR p = buffer;
     UINT i, len, sign;
-    CHAR number[20];
+    CHAR number[21]; /* 64bit number can be 18446744073709551616 which is 20 chars. and a \0 */
     WPRINTF_DATA argData;
 
     TRACE("%p %u %s\n", buffer, maxlen, debugstr_w(spec));
-- 
1.7.3.4




More information about the wine-patches mailing list