On 20.07.2015 12:53, Alistair Leslie-Hughes wrote:
+ else + { + WCHAR name[MAX_PATH]; + DWORD index = 0; + DWORD namelen; + + usedefault = FALSE; + + memset(buff, 0, buff_len); + namelen = sizeof(name); + while (RegEnumValueW(sectionkey, index, name, &namelen, NULL, NULL, NULL, NULL ) == ERROR_SUCCESS) + { + lstrcpyW(buff+ret, name); + ret += namelen+1; + namelen = sizeof(name); + index++; + } + }
In this new case you unconditionally write to 'buff' without checking if you already exceeded 'buff_len'. Also memset of whole buffer looks suspicious and I don't see anything in tests that proves it.