Marcus Meissner : msi: Fixed buffer overflow in number parsing.
Alexandre Julliard
julliard at winehq.org
Mon Dec 17 06:41:43 CST 2007
Module: wine
Branch: master
Commit: 964a0303c129d59ea227fcce68f647d2e76ddc56
URL: http://source.winehq.org/git/wine.git/?a=commit;h=964a0303c129d59ea227fcce68f647d2e76ddc56
Author: Marcus Meissner <marcus at jet.franken.de>
Date: Fri Dec 14 15:20:04 2007 +0100
msi: Fixed buffer overflow in number parsing.
---
dlls/msi/dialog.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/dlls/msi/dialog.c b/dlls/msi/dialog.c
index fae8fcf..078ceda 100644
--- a/dlls/msi/dialog.c
+++ b/dlls/msi/dialog.c
@@ -2464,7 +2464,7 @@ static void msi_dialog_vcl_add_columns( msi_dialog *dialog, msi_control *control
{
LPCWSTR text = MSI_RecordGetString( rec, 10 );
LPCWSTR begin = text, end;
- WCHAR num[10];
+ WCHAR *num;
LVCOLUMNW lvc;
DWORD count = 0;
@@ -2478,6 +2478,10 @@ static void msi_dialog_vcl_add_columns( msi_dialog *dialog, msi_control *control
if (!(end = strchrW( begin, '}' )))
return;
+ num = msi_alloc( (end-begin+1)*sizeof(WCHAR) );
+ if (!num)
+ return;
+
lstrcpynW( num, begin + 1, end - begin );
begin += end - begin + 1;
@@ -2485,14 +2489,17 @@ static void msi_dialog_vcl_add_columns( msi_dialog *dialog, msi_control *control
if ( !num[0] || !lstrcmpW( num, zero ) )
{
count++;
+ msi_free( num );
continue;
}
/* the width must be a positive number
* if a width is invalid, all remaining columns are hidden
*/
- if ( !strncmpW( num, negative, 1 ) || !str_is_number( num ) )
+ if ( !strncmpW( num, negative, 1 ) || !str_is_number( num ) ) {
+ msi_free( num );
return;
+ }
ZeroMemory( &lvc, sizeof(lvc) );
lvc.mask = LVCF_TEXT | LVCF_WIDTH | LVCF_SUBITEM;
@@ -2501,6 +2508,7 @@ static void msi_dialog_vcl_add_columns( msi_dialog *dialog, msi_control *control
SendMessageW( control->hwnd, LVM_INSERTCOLUMNW, count++, (LPARAM)&lvc );
msi_free( lvc.pszText );
+ msi_free( num );
}
}
More information about the wine-cvs
mailing list