[PATCH] comctl32: allocate the right wstr size for the TVN_GETDISPINFOW reply
Damjan Jovanovic
damjan.jov at gmail.com
Tue Nov 26 10:08:22 CST 2019
The code doesn't multiply the strlenW() by sizeof(WCHAR),
allocating a buffer that is half the needed size, and
resulting in a guaranteed buffer overflow and heap corruption
when lstrcpyW() later copies the string.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=25264
Signed-off-by: Damjan Jovanovic <damjan.jov at gmail.com>
---
dlls/comctl32/treeview.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-------------- next part --------------
diff --git a/dlls/comctl32/treeview.c b/dlls/comctl32/treeview.c
index 0d2c825714..06c4586fcd 100644
--- a/dlls/comctl32/treeview.c
+++ b/dlls/comctl32/treeview.c
@@ -754,7 +754,7 @@ TREEVIEW_UpdateDispInfo(const TREEVIEW_INFO *infoPtr, TREEVIEW_ITEM *item,
else {
int len = max(lstrlenW(callback.item.pszText) + 1,
TEXT_CALLBACK_SIZE);
- LPWSTR newText = heap_realloc(item->pszText, len);
+ LPWSTR newText = heap_realloc(item->pszText, len*sizeof(WCHAR));
TRACE("returned wstr %s, len=%d\n",
debugstr_w(callback.item.pszText), len);
More information about the wine-devel
mailing list