From: Zhiyi Zhang <zzhang(a)codeweavers.com> When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds. --- dlls/compstui/compstui_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dlls/compstui/compstui_main.c b/dlls/compstui/compstui_main.c index 60d5f9891b0..57fe0879c0c 100644 --- a/dlls/compstui/compstui_main.c +++ b/dlls/compstui/compstui_main.c @@ -480,7 +480,8 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER len = wcslen(title); if (len < ARRAY_SIZE(title)) title[len++] = ' '; - LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len); + if (ARRAY_SIZE(title) - len > 0) + LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len); } if ((header->flags & PSUIHDRF_PROPTITLE) && @@ -489,7 +490,8 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER len = wcslen(title); if (len < ARRAY_SIZE(title)) title[len++] = ' '; - LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len); + if (ARRAY_SIZE(title) - len > 0) + LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len); } psh.nPages = ps->pages_cnt; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/4767