LOCALE: Don't copy value if buffer is too small
Fabian Cenedese
Cenedese at indel.ch
Wed Feb 25 01:43:44 CST 2004
>> The found value (info->Data) should only be copied to (buffer) if its length (len)
>> is big enough. len is given in bytes (8 for the above call with a buffer of 4 WCHARs).
>> But the length of the data (ret) is in WCHAR units. So the comparison here
>> is completely wrong. Ok, I could change this to len/sizeof(WCHAR). But that's
>> still not enough because of the comparison before about info->Data[ret-1].
>
>len is supposed to be in WCHARs too, most likely the caller is not
>passing the correct size.
Ok, I saw that you fixed the WCHAR/byte mess. But there is still a possibility that
the function can copy a string longer than buffer if it already has an appended null.
This should fix it.
bye Fabi
Changelog:
Fabian Cenedese <Cenedese at indel.ch>
Check buffer length so we don't copy strings into buffer if they are too long.
Index: wine/dlls/kernel/locale.c
===================================================================
RCS file: /home/wine/wine/dlls/kernel/locale.c,v
retrieving revision 1.35
diff -u -r1.35 locale.c
--- wine/dlls/kernel/locale.c 25 Feb 2004 01:35:01 -0000 1.35
+++ wine/dlls/kernel/locale.c 25 Feb 2004 07:35:42 -0000
@@ -778,10 +778,16 @@
ret = 0;
}
}
+
if (ret && buffer)
{
- memcpy( buffer, info->Data, (ret-1) * sizeof(WCHAR) );
- buffer[ret-1] = 0;
+ if (ret <= len) {
+ memcpy( buffer, info->Data, (ret-1) * sizeof(WCHAR) );
+ buffer[ret-1] = 0;
+ } else {
+ SetLastError( ERROR_INSUFFICIENT_BUFFER );
+ ret = 0;
+ }
}
}
else
More information about the wine-patches
mailing list