wordpad: Avoid buffer overrun in registry_set_filelist.
Thomas Faber
thomas.faber at reactos.org
Mon Jun 27 06:25:50 CDT 2016
On 2016-06-27 09:53, Huw Davies wrote:
> On Sun, Jun 26, 2016 at 11:42:31AM +0200, Thomas Faber wrote:
>> @@ -298,7 +298,7 @@ void registry_set_filelist(LPCWSTR newFile, HWND hMainWnd)
>> if(!lstrcmpiW(pFiles[i], newFile))
>> {
>> int j;
>> - for(j = 0; pFiles[j] && j < i; j++)
>> + for(j = 0; j < i && pFiles[j]; j++)
>> {
>> pFiles[i-j] = pFiles[i-j-1];
>> }
>
> This looks odd to me. I don't see how this could avoid an overflow;
> pFiles[i] is valid at this point and so pFiles[j] will be ok if j == i.
>
> More confusingly though, is why pFiles[j] is in the test at all.
Oops, you're completely right, thanks for catching that.
I agree that pFiles[j] cannot be NULL here. I'll send a patch to remove
the check.
Thanks.
-Thomas
More information about the wine-devel
mailing list