Jan. 4, 2023
7:20 p.m.
Esme Povirk (@madewokherd) commented about dlls/comdlg32/navbar.c:
+ INT len = 0, size; + WCHAR *text = NULL, *expanded = NULL; + DWORD expanded_cch; + ITEMIDLIST *pidl = NULL; + HRESULT hr; + + len = GetWindowTextLengthW(info->pathedit_hwnd); + if (!len) + goto exit; + + size = (len + 1) * sizeof(WCHAR); + text = HeapAlloc(GetProcessHeap(), 0, size); + if (!text) + goto exit; + + if (!GetWindowTextW(info->pathedit_hwnd, text, size)) According to MSDN, the last argument is the number of characters the buffer can accept, not the number of bytes, so this could overflow.
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/1857#note_20327