Module: wine Branch: master Commit: 2d33f406c93bc0d5c0ec6053a3967a19ee5e9f72 URL: https://source.winehq.org/git/wine.git/?a=commit;h=2d33f406c93bc0d5c0ec6053a... Author: Eduard Permyakov <epermyakov(a)codeweavers.com> Date: Fri Aug 6 15:01:16 2021 +0300 xmllite: Don't lose terminating character when shrinking buffer. The utf16 buffer is expected to be terminated by a '0' character. Flawed buffer shrinking logic would move the buffer contents but forget about the terminating character, which could cause reading junk past the end of the buffer contents. Signed-off-by: Eduard Permyakov <epermyakov(a)codeweavers.com> Signed-off-by: Nikolay Sivov <nsivov(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- dlls/xmllite/reader.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dlls/xmllite/reader.c b/dlls/xmllite/reader.c index a5a75c29887..834c36ae18c 100644 --- a/dlls/xmllite/reader.c +++ b/dlls/xmllite/reader.c @@ -2128,6 +2128,7 @@ static HRESULT reader_parse_reference(xmlreader *reader) memmove(start + 1, ptr + 1, len); buffer->written -= (reader_get_cur(reader) - cur) * sizeof(WCHAR); + *(WCHAR*)(buffer->data + buffer->written) = 0; buffer->cur = cur + 1; *start = ch; @@ -2151,6 +2152,7 @@ static HRESULT reader_parse_reference(xmlreader *reader) memmove(start+1, ptr+1, len); buffer->cur = cur + 1; buffer->written -= (ptr - start) * sizeof(WCHAR); + *(WCHAR*)(buffer->data + buffer->written) = 0; *start = ch; }