Jacek Caban (@jacek) commented about dlls/kernelbase/path.c:
INT ih; WCHAR buf[5] = L"0x"; + memcpy(buf + 2, src + 1, 2*sizeof(WCHAR)); buf[4] = 0; StrToIntExW(buf, STIF_SUPPORT_HEX, &ih); - next = (WCHAR) ih; src += 2; /* Advance to end of escape */ + + if (flags & URL_UNESCAPE_AS_UTF8) + { + utf8_buf[0] = ih; + utf8_len = get_utf8_len(ih); + for (i = 1; i < utf8_len; i++) + { + memcpy(buf + 2, src + 2, 2 * sizeof(WCHAR));
At this point, for all you know src[1], src[2] and src[3] may be null bytes. The check bellow is too late, this memcpy potentially reads bytes after buffer end. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/585#note_41487