comctl32: tooltips: avoid buffer overrun (spotted by
[email protected],
bug #8361), make sure some strings are NUL-terminated
Mikołaj Zalewski
mikolaj at zalewski.pl
Wed Jul 18 17:03:11 CDT 2007
-------------- next part --------------
From 8aaba1a9580546772c8dbefe1f631c3861bd1fe8 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Miko=C5=82aj_Zalewski?= <mikolaj at zalewski.pl>
Date: Wed, 11 Jul 2007 23:02:31 +0200
Subject: [PATCH] comctl32: tooltips: avoid buffer overrun (spotted by hto at mail.cnt.ru, bug #8361), make sure some strings are NUL-terminated
---
dlls/comctl32/tooltips.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/dlls/comctl32/tooltips.c b/dlls/comctl32/tooltips.c
index 4e11c5c..73af45b 100644
--- a/dlls/comctl32/tooltips.c
+++ b/dlls/comctl32/tooltips.c
@@ -340,12 +340,13 @@ static void TOOLTIPS_GetDispInfoA(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : -1;
MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, max_len,
infoPtr->szTipText, INFOTIPSIZE);
+ infoPtr->szTipText[INFOTIPSIZE - 1] = 0; /* make sure the string is NUL-terminated */
if (ttnmdi.uFlags & TTF_DI_SETITEM) {
INT len = MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText,
max_len, NULL, 0);
toolPtr->hinst = 0;
- toolPtr->lpszText = Alloc (len * sizeof(WCHAR));
- MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, -1,
+ toolPtr->lpszText = Alloc((len+1) * sizeof(WCHAR));
+ MultiByteToWideChar(CP_ACP, 0, ttnmdi.lpszText, max_len,
toolPtr->lpszText, len);
}
}
@@ -389,10 +390,10 @@ static void TOOLTIPS_GetDispInfoW(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : INFOTIPSIZE-1;
lstrcpynW(infoPtr->szTipText, ttnmdi.lpszText, max_len);
if (ttnmdi.uFlags & TTF_DI_SETITEM) {
- INT len = max(strlenW(ttnmdi.lpszText), max_len);
+ INT len = min(strlenW(ttnmdi.lpszText), max_len);
toolPtr->hinst = 0;
- toolPtr->lpszText = Alloc ((len+1) * sizeof(WCHAR));
- memcpy(toolPtr->lpszText, ttnmdi.lpszText, (len+1) * sizeof(WCHAR));
+ toolPtr->lpszText = Alloc((len+1) * sizeof(WCHAR));
+ lstrcpynW(toolPtr->lpszText, ttnmdi.lpszText, len + 1);
}
}
else {
--
1.4.4.2
More information about the wine-patches
mailing list