ntdll: Fix RtlIntegerToUnicodeString so it won't overflow
Maarten Lankhorst
m.b.lankhorst at gmail.com
Thu May 8 13:00:25 CDT 2008
Hello Alexandre,
2008/5/8 Alexandre Julliard <julliard at winehq.org>:
> "Maarten Lankhorst" <m.b.lankhorst at gmail.com> writes:
>
> > @@ -1970,7 +1970,7 @@ NTSTATUS WINAPI RtlIntegerToUnicodeString(
> > } while (value != 0L);
> >
> > str->Length = (&buffer[32] - pos) * sizeof(WCHAR);
> > - if (str->Length >= str->MaximumLength) {
> > + if (str->Length + sizeof(WCHAR) >= str->MaximumLength) {
> > return STATUS_BUFFER_OVERFLOW;
> > } else {
> > memcpy(str->Buffer, pos, str->Length + sizeof(WCHAR));
>
> There's no overflow here. The Windows implementation of
> RtlIntegerToUnicodeString seems badly confused but I don't think
> we need to replicate those bugs.
It copies str->Length + sizeof(WCHAR) to the destination buffer
according to james' testcases. So it definitely looks like a bug to me
if it would copy data beyond MaximumLength, since only up to
MaximumLength is guaranteed to be allocated. Of course you're right
that my fix is likely wrong, the >= max should probablly be changed to
> max, otherwise it would return STATUS_BUFFER_OVERFLOW wrongly.
Cheers,
Maarten.
More information about the wine-devel
mailing list