Rob Shearman : ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: d1db29e801f378f7310fa66ff54980368db1869b
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=d1db29e801f378f7310fa66ff54980368db1869b

Author: Rob Shearman <robertshearman at gmail.com>
Date:   Fri Nov 20 14:37:13 2009 +0000

ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.

The string in format is nul-terminated so use memcpy to copy it into
the buffer and don't try to nul-terminate it manually which causes a
write outside of the allocated buffer length.

Fix a similar off-by-one error in CLIPFORMAT_UserUnmarshal too. This
time it is only reading from beyond the buffer.

---

 dlls/ole32/usrmarshal.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/dlls/ole32/usrmarshal.c b/dlls/ole32/usrmarshal.c
index f180f42..ed31620 100644
--- a/dlls/ole32/usrmarshal.c
+++ b/dlls/ole32/usrmarshal.c
@@ -170,11 +170,9 @@ unsigned char * __RPC_USER CLIPFORMAT_UserMarshal(ULONG *pFlags, unsigned char *
         pBuffer += sizeof(UINT);
         *(UINT *)pBuffer = len;
         pBuffer += sizeof(UINT);
-        TRACE("marshaling format name %s\n", debugstr_wn(format, len-1));
-        lstrcpynW((LPWSTR)pBuffer, format, len);
+        TRACE("marshaling format name %s\n", debugstr_w(format));
+        memcpy(pBuffer, format, len * sizeof(WCHAR));
         pBuffer += len * sizeof(WCHAR);
-        *(WCHAR *)pBuffer = '\0';
-        pBuffer += sizeof(WCHAR);
     }
     else
     {
@@ -238,11 +236,11 @@ unsigned char * __RPC_USER CLIPFORMAT_UserUnmarshal(ULONG *pFlags, unsigned char
         if (*(UINT *)pBuffer != len)
             RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
         pBuffer += sizeof(UINT);
-        if (((WCHAR *)pBuffer)[len] != '\0')
+        if (((WCHAR *)pBuffer)[len - 1] != '\0')
             RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
         TRACE("unmarshaling clip format %s\n", debugstr_w((LPCWSTR)pBuffer));
         cf = RegisterClipboardFormatW((LPCWSTR)pBuffer);
-        pBuffer += (len + 1) * sizeof(WCHAR);
+        pBuffer += len * sizeof(WCHAR);
         if (!cf)
             RaiseException(DV_E_CLIPFORMAT, 0, 0, NULL);
         *pCF = cf;