[PATCH] user32: fixed single byte array overflow
Marcus Meissner
marcus at jet.franken.de
Fri Sep 9 17:40:07 CDT 2011
Hi,
number apparently needs 1 byte larger (terminating \0 I guess)
to fill %I64u of -1.
Spotted by -fstack-protector.
Ciao, Marcus
---
dlls/user32/wsprintf.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/user32/wsprintf.c b/dlls/user32/wsprintf.c
index fe20536..5e618d6 100644
--- a/dlls/user32/wsprintf.c
+++ b/dlls/user32/wsprintf.c
@@ -316,7 +316,7 @@ static INT wvsnprintfA( LPSTR buffer, UINT maxlen, LPCSTR spec, __ms_va_list arg
WPRINTF_FORMAT format;
LPSTR p = buffer;
UINT i, len, sign;
- CHAR number[20];
+ CHAR number[21]; /* 64bit number can be 18446744073709551616 which is 20 chars. and a \0 */
WPRINTF_DATA argData;
TRACE("%p %u %s\n", buffer, maxlen, debugstr_a(spec));
@@ -421,7 +421,7 @@ static INT wvsnprintfW( LPWSTR buffer, UINT maxlen, LPCWSTR spec, __ms_va_list a
WPRINTF_FORMAT format;
LPWSTR p = buffer;
UINT i, len, sign;
- CHAR number[20];
+ CHAR number[21]; /* 64bit number can be 18446744073709551616 which is 20 chars. and a \0 */
WPRINTF_DATA argData;
TRACE("%p %u %s\n", buffer, maxlen, debugstr_w(spec));
--
1.7.3.4
More information about the wine-patches
mailing list