Bill Medland : msi: Prevent array underflow in MsiFormat when
measuring with zero-length buffer.
Alexandre Julliard
julliard at wine.codeweavers.com
Wed Dec 21 14:26:12 CST 2005
Module: wine
Branch: refs/heads/master
Commit: b56ed22277549dd7aa9a2b35951f9b2db7be870f
URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=b56ed22277549dd7aa9a2b35951f9b2db7be870f
Author: Bill Medland <billmedland at mercuryspeed.com>
Date: Wed Dec 21 21:19:47 2005 +0100
msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.
---
dlls/msi/format.c | 8 +++++++-
dlls/msi/tests/format.c | 7 ++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/dlls/msi/format.c b/dlls/msi/format.c
index c280541..85f9028 100644
--- a/dlls/msi/format.c
+++ b/dlls/msi/format.c
@@ -639,10 +639,15 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack
len = deformat_string_internal(package,rec,&deformated,strlenW(rec),
record, NULL);
+ /* If len is zero then WideCharToMultiByte will return 0 indicating
+ * failure, but that will do just as well since we are ignoring
+ * possible errors.
+ */
lenA = WideCharToMultiByte(CP_ACP,0,deformated,len,NULL,0,NULL,NULL);
if (buffer)
{
+ /* Ditto above */
WideCharToMultiByte(CP_ACP,0,deformated,len,buffer,*size,NULL, NULL);
if (*size>lenA)
{
@@ -652,7 +657,8 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack
else
{
rc = ERROR_MORE_DATA;
- buffer[(*size)-1] = 0;
+ if (*size)
+ buffer[(*size)-1] = 0;
}
}
else
diff --git a/dlls/msi/tests/format.c b/dlls/msi/tests/format.c
index 11cd455..59c6f11 100644
--- a/dlls/msi/tests/format.c
+++ b/dlls/msi/tests/format.c
@@ -109,7 +109,7 @@ static void test_formatrecord(void)
char buffer[100];
MSIHANDLE hrec;
UINT r;
- DWORD sz=100;
+ DWORD sz;
r = MsiFormatRecord(0, 0, NULL, NULL );
ok( r == ERROR_INVALID_HANDLE, "wrong error\n");
@@ -122,6 +122,11 @@ static void test_formatrecord(void)
ok( r == ERROR_SUCCESS, "format failed\n");
buffer[0] = 'x';
buffer[1] = 0;
+ sz=0;
+ r = MsiFormatRecord(0, hrec, buffer+1, &sz);
+ ok( r == ERROR_MORE_DATA && buffer[0] == 'x', "format failed measuring with buffer\n");
+ ok( sz == 16, "size wrong\n");
+ sz=100;
r = MsiFormatRecord(0, hrec, buffer, &sz);
ok( r == ERROR_SUCCESS, "format failed with empty buffer\n");
ok( sz == 16, "size wrong\n");
More information about the wine-cvs
mailing list