niansa-misc/wine
1
0
Fork 0
mirror of synced 2025-03-07 03:53:26 +01:00
Code Issues Projects Releases Packages Wiki Activity

compstui: Fix a possible out-of-bounds write (Coverity).

Browse source 
When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter
being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds.
This commit is contained in:
Zhiyi Zhang 2023-12-30 12:09:03 +08:00 committed by Alexandre Julliard
parent 2b323dbad7
commit 6164432aa7
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
dlls/compstui/compstui_main.c
View file

@ -478,18 +478,22 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER
(!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
{
len = wcslen(title);
if (len < ARRAY_SIZE(title))
if (len < ARRAY_SIZE(title) - 1)
{
title[len++] = ' ';
LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
}
}
if ((header->flags & PSUIHDRF_PROPTITLE) &&
(!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
{
len = wcslen(title);
if (len < ARRAY_SIZE(title))
if (len < ARRAY_SIZE(title) - 1)
{
title[len++] = ' ';
LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
}
}
psh.nPages = ps->pages_cnt;