Bill Medland : msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.

Alexandre Julliard julliard at wine.codeweavers.com
Wed Dec 21 14:26:12 CST 2005


Module: wine
Branch: refs/heads/master
Commit: b56ed22277549dd7aa9a2b35951f9b2db7be870f
URL:    http://source.winehq.org/git/?p=wine.git;a=commit;h=b56ed22277549dd7aa9a2b35951f9b2db7be870f

Author: Bill Medland <billmedland at mercuryspeed.com>
Date:   Wed Dec 21 21:19:47 2005 +0100

msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.

---

 dlls/msi/format.c       |    8 +++++++-
 dlls/msi/tests/format.c |    7 ++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/dlls/msi/format.c b/dlls/msi/format.c
index c280541..85f9028 100644
--- a/dlls/msi/format.c
+++ b/dlls/msi/format.c
@@ -639,10 +639,15 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack
 
     len = deformat_string_internal(package,rec,&deformated,strlenW(rec),
                                    record, NULL);
+    /* If len is zero then WideCharToMultiByte will return 0 indicating 
+     * failure, but that will do just as well since we are ignoring
+     * possible errors.
+     */
     lenA = WideCharToMultiByte(CP_ACP,0,deformated,len,NULL,0,NULL,NULL);
 
     if (buffer)
     {
+        /* Ditto above */
         WideCharToMultiByte(CP_ACP,0,deformated,len,buffer,*size,NULL, NULL);
         if (*size>lenA)
         {
@@ -652,7 +657,8 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack
         else
         {
             rc = ERROR_MORE_DATA;
-            buffer[(*size)-1] = 0;    
+            if (*size)
+                buffer[(*size)-1] = 0;
         }
     }
     else
diff --git a/dlls/msi/tests/format.c b/dlls/msi/tests/format.c
index 11cd455..59c6f11 100644
--- a/dlls/msi/tests/format.c
+++ b/dlls/msi/tests/format.c
@@ -109,7 +109,7 @@ static void test_formatrecord(void)
     char buffer[100];
     MSIHANDLE hrec;
     UINT r;
-    DWORD sz=100;
+    DWORD sz;
 
     r = MsiFormatRecord(0, 0, NULL, NULL );
     ok( r == ERROR_INVALID_HANDLE, "wrong error\n");
@@ -122,6 +122,11 @@ static void test_formatrecord(void)
     ok( r == ERROR_SUCCESS, "format failed\n");
     buffer[0] = 'x';
     buffer[1] = 0;
+    sz=0;
+    r = MsiFormatRecord(0, hrec, buffer+1, &sz);
+    ok( r == ERROR_MORE_DATA && buffer[0] == 'x', "format failed measuring with buffer\n");
+    ok( sz == 16, "size wrong\n");
+    sz=100;
     r = MsiFormatRecord(0, hrec, buffer, &sz);
     ok( r == ERROR_SUCCESS, "format failed with empty buffer\n");
     ok( sz == 16, "size wrong\n");




More information about the wine-cvs mailing list