crypt32: Fix potential buffer overruns in CertGetNameStringW

Juan Lang juan.lang at gmail.com
Wed Sep 9 10:45:00 CDT 2009 

Sorry, I didn't see this until this morning.  It's perhaps a bit of a
pathological case, but if CertGetNameStringW were called with a
non-NULL string pointer and with cchNameString = 0, it would write
into the buffer.
--Juan
-------------- next part --------------
From db872c9b64e58e1fe13db97faea12702d347f94d Mon Sep 17 00:00:00 2001
From: Juan Lang <juan.lang at gmail.com>
Date: Wed, 9 Sep 2009 08:40:44 -0700
Subject: [PATCH 5/5] Fix potential buffer overruns in CertGetNameStringW

---
 dlls/crypt32/str.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/dlls/crypt32/str.c b/dlls/crypt32/str.c
index fa6eed9..b0a3d25 100644
--- a/dlls/crypt32/str.c
+++ b/dlls/crypt32/str.c
@@ -1018,7 +1018,7 @@ DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType,
         {
             if (!pszNameString)
                 ret = strlenW(entry->pwszRfc822Name) + 1;
-            else
+            else if (cchNameString)
             {
                 ret = min(strlenW(entry->pwszRfc822Name), cchNameString - 1);
                 memcpy(pszNameString, entry->pwszRfc822Name,
@@ -1103,7 +1103,7 @@ DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType,
                 {
                     if (!pszNameString)
                         ret = strlenW(entry->pwszRfc822Name) + 1;
-                    else
+                    else if (cchNameString)
                     {
                         ret = min(strlenW(entry->pwszRfc822Name),
                          cchNameString - 1);
@@ -1140,7 +1140,7 @@ DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType,
         {
             if (!pszNameString)
                 ret = strlenW(entry->pwszDNSName) + 1;
-            else
+            else if (cchNameString)
             {
                 ret = min(strlenW(entry->pwszDNSName), cchNameString - 1);
                 memcpy(pszNameString, entry->pwszDNSName, ret * sizeof(WCHAR));
@@ -1164,7 +1164,7 @@ DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType,
         {
             if (!pszNameString)
                 ret = strlenW(entry->pwszURL) + 1;
-            else
+            else if (cchNameString)
             {
                 ret = min(strlenW(entry->pwszURL), cchNameString - 1);
                 memcpy(pszNameString, entry->pwszURL, ret * sizeof(WCHAR));
-- 
1.6.3.2

More information about the wine-patches mailing list