3 Mar
2009
3 Mar
'09
12:30 p.m.
Rico Schüller <kgbricola(a)web.de> writes:
@@ -1498,7 +1498,10 @@ DWORD WINAPI mciSendStringA(LPCSTR lpstrCommand, LPSTR lpstrRet, MultiByteToWideChar( CP_ACP, 0, lpstrCommand, -1, lpwstrCommand, len ); if (lpstrRet) { - lpwstrRet = HeapAlloc(GetProcessHeap(), 0, uRetLen * sizeof(WCHAR)); + /* Use HEAP_ZERO_MEMORY, otherwise WideCharToMultiByte could crash if mciSendStringW fails, + * because the length is taken from the uninizialized data! + */ + lpwstrRet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, uRetLen * sizeof(WCHAR));
That's just hiding the bug. The string shouldn't be converted at all if we failed to retrieve it. -- Alexandre Julliard julliard(a)winehq.org