[PATCH v2] hhctrl.ocx: Handle just number of bytes given in html_fragment_len.
Bernhard Übelacker
bernhardu at mailbox.org
Tue Jul 6 07:23:13 CDT 2021
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=39699
Signed-off-by: Bernhard Übelacker <bernhardu at mailbox.org>
---
Supersedes: 209112
Changes:
v1:
https://www.winehq.org/pipermail/wine-devel/2021-July/thread.html#190184
v2: Use memchr instead of reimplementing strnchr.
The crash occours like below, because the second """ is
found outside of html_fragment_len.
Therefore the length given to memcpy is negative.
Seems it must not be relied up on that the input string
has a proper null termination.
At least the search index of this file looks bogus
even when opened inside windows.
wine hh.exe "c:\\Program Files\\OPG\\EDTW\\edtw.chm"
(rr) bt
#0 0x70bae108 in copy_bwd ()
#1 0x7ffc2000 in ?? ()
#2 0x68dca5a1 in decode_html (html_fragment=0xd73c35 "h", html_fragment_len=87, code_page=1252) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1943
#3 0x68dcde24 in parse_hhindex (info=<optimized out>, str=<optimized out>, item=0xd73788) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:113
#4 0x68dce62c in InitIndex (info=0x2878b8) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:279
#5 0x68dc9f51 in CreateHelpViewer (info=0x2878b8, filename=0x21fab8, caller=0x10020) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1755
#6 0x68dcb110 in HtmlHelpW at 16 (caller=0x10020, filename=0x286140, command=0, data=0) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/hhctrl.c:192
#7 0x68dcd27d in doWinMain at 8 (hInstance=0x1000000, szCmdLine=<optimized out>) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/hhctrl.c:564
#8 0x010013f0 in ?? ()
#9 0x0100170d in ?? ()
#10 0x7b62e250 in WriteTapemark at 16 ()
# some instructions reverse:
(rr) bt
#0 0x70badfc0 in sse2_memmove ()
#1 0x70bb4e4e in memcpy (dst=0xd73dca, src=0xd73cb9, n=4294967251) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/msvcrt/string.c:2750
#2 0x68dca5a1 in decode_html (html_fragment=0xd73c35 "XE "Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellungen f\374r Type\">\r\n\t\t<param name=\"See Also\" value=\"XE "Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellunge"..., html_fragment_len=87, code_page=1252) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1943
#3 0x68dcde24 in parse_hhindex (info=<optimized out>, str=<optimized out>, item=0xd73788) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:113
...
(rr) print html_fragment_len
$5 = 87
(rr) print html_fragment
$7 = 0xd73c35 "XE "Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellungen f\374r Type\">\r\n\t\t<param name=\"See Also\" value=\"XE "Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellunge"...
---
dlls/hhctrl.ocx/help.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/hhctrl.ocx/help.c b/dlls/hhctrl.ocx/help.c
index 06f73358f44..e9957a86e73 100644
--- a/dlls/hhctrl.ocx/help.c
+++ b/dlls/hhctrl.ocx/help.c
@@ -1898,14 +1898,14 @@ WCHAR *decode_html(const char *html_fragment, int html_fragment_len, UINT code_p
while(1)
{
symbol = 0;
- amp = strchr(h, '&');
+ amp = memchr(h, '&', html_fragment + html_fragment_len - h);
if(!amp) break;
len = amp-h;
/* Copy the characters prior to the HTML encoded character */
memcpy(&tmp[tmp_len], h, len);
tmp_len += len;
amp++; /* skip ampersand */
- sem = strchr(amp, ';');
+ sem = memchr(amp, ';', html_fragment + html_fragment_len - amp);
/* Require a semicolon after the ampersand */
if(!sem)
{
--
2.30.2
More information about the wine-devel
mailing list