[PATCH 0/1] MR3358: msvcrt: fix out-of-bound access in create_locinfo
`wcsncpy` and `GetLocaleInfoEx` take length in number of characters, but `size` and `ret` counts number of bytes. Previous commit changed a call to `GetLocaleInfoW` which counts lenght in `TCHAR`s (aka bytes), to the current `GetLocaleInfoEx`, which is probably the source of this confusion. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/3358
From: Yuxuan Shui <yshui(a)codeweavers.com> Fixes: 24a2b625545f1875b5c3177f2b9 Signed-off-by: Yuxuan Shui <yshui(a)codeweavers.com> --- dlls/msvcrt/locale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/msvcrt/locale.c b/dlls/msvcrt/locale.c index 9fa6ba76143..7ace8fb6337 100644 --- a/dlls/msvcrt/locale.c +++ b/dlls/msvcrt/locale.c @@ -1257,12 +1257,12 @@ static __lc_time_data* create_time_data(WCHAR *sname) for(i=0; i<ARRAY_SIZE(time_data); i++) { cur->wstr.wstr[i] = (wchar_t*)&cur->data[ret]; ret += GetLocaleInfoEx(sname, time_data[i], - (wchar_t*)&cur->data[ret], size-ret)*sizeof(wchar_t); + (wchar_t*)&cur->data[ret], (size-ret) / sizeof(wchar_t))*sizeof(wchar_t); } #endif #if _MSVCR_VER >= 110 cur->locname = (wchar_t*)&cur->data[ret]; - wcsncpy((wchar_t *) &cur->data[ret], sname, size-ret); + wcsncpy((wchar_t *) &cur->data[ret], sname, (size-ret) / sizeof(wchar_t)); #else cur->lcid = lcid; #endif -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/3358
@vitorhnn, hi can you please have a look? -- https://gitlab.winehq.org/wine/wine/-/merge_requests/3358#note_39561
participants (2)
-
Yuxuan Shui -
Yuxuan Shui (@yshui)