Alexandre Julliard : comdlg32: Fixed a number of buffer overflows in the file dialog.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 1e9acad3a07cd5e631829dd1ee7cee14b41884d5
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=1e9acad3a07cd5e631829dd1ee7cee14b41884d5

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Tue Mar 25 17:34:32 2008 +0100

comdlg32: Fixed a number of buffer overflows in the file dialog.

---

 dlls/comdlg32/filedlg.c |   25 +++++++++++--------------
 1 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/dlls/comdlg32/filedlg.c b/dlls/comdlg32/filedlg.c
index 13b4c79..3e662ec 100644
--- a/dlls/comdlg32/filedlg.c
+++ b/dlls/comdlg32/filedlg.c
@@ -889,7 +889,7 @@ static INT_PTR FILEDLG95_Handle_GetFilePath(HWND hwnd, DWORD size, LPVOID buffer
         {
             /* 'n' includes trailing \0 */
             bufW[n-1] = '\\';
-            memcpy( &bufW[n], lpstrFileList, (size-n)*sizeof(WCHAR) );
+            lstrcpynW( &bufW[n], lpstrFileList, size - n );
         }
         TRACE("returned -> %s\n",debugstr_wn(bufW, total));
     }
@@ -931,16 +931,15 @@ static INT_PTR FILEDLG95_Handle_GetFileSpec(HWND hwnd, DWORD size, LPVOID buffer
     FILEDLG95_FILENAME_GetFileNames(hwnd, &lpstrFileList, &sizeUsed, ' ');
     if( fodInfos->unicode )
     {
-        LPWSTR bufW = buffer;
-        memcpy( bufW, lpstrFileList, sizeof(WCHAR)*sizeUsed );
+        lstrcpynW( buffer, lpstrFileList, size );
     }
     else
     {
         LPSTR bufA = buffer;
-        sizeUsed = WideCharToMultiByte( CP_ACP, 0, lpstrFileList, sizeUsed,
-                                        NULL, 0, NULL, NULL);
-        WideCharToMultiByte(CP_ACP, 0, lpstrFileList, sizeUsed,
-                            bufA, size, NULL, NULL);
+        DWORD sizeA = WideCharToMultiByte( CP_ACP, 0, lpstrFileList, sizeUsed, NULL, 0, NULL, NULL);
+        WideCharToMultiByte(CP_ACP, 0, lpstrFileList, sizeUsed, bufA, size, NULL, NULL);
+        if (size && size < sizeA) bufA[size - 1] = 0;
+        sizeUsed = sizeA;
     }
     MemFree(lpstrFileList);
 
@@ -3237,29 +3236,27 @@ static int FILEDLG95_FILENAME_GetFileNames (HWND hwnd, LPWSTR * lpstrFileList, U
 	    while ((lpstrEdit[nStrCharCount]!='"') && (nStrCharCount <= nStrLen))
 	    {
 	      (*lpstrFileList)[nFileIndex++] = lpstrEdit[nStrCharCount];
-	      (*sizeUsed)++;
 	      nStrCharCount++;
 	    }
 	    (*lpstrFileList)[nFileIndex++] = separator;
-	    (*sizeUsed)++;
 	    nFileCount++;
 	  }
 	  nStrCharCount++;
 	}
 
 	/* single, unquoted string */
-	if ((nStrLen > 0) && (*sizeUsed == 0) )
+	if ((nStrLen > 0) && (nFileIndex == 0) )
 	{
 	  lstrcpyW(*lpstrFileList, lpstrEdit);
 	  nFileIndex = lstrlenW(lpstrEdit) + 1;
-	  (*sizeUsed) = nFileIndex;
 	  nFileCount = 1;
 	}
 
-	/* trailing \0 */
-	(*lpstrFileList)[nFileIndex] = '\0';
-	(*sizeUsed)++;
+        /* trailing \0 */
+        if (nFileIndex && separator) nFileIndex--;  /* remove trailing separator */
+        (*lpstrFileList)[nFileIndex++] = '\0';
 
+        *sizeUsed = nFileIndex;
 	MemFree(lpstrEdit);
 	return nFileCount;
 }