https://bugs.winehq.org/show_bug.cgi?id=12401
--- Comment #55 from Indrek Ardel eniw@ardel.eu --- (In reply to Zeb Figura from comment #54)
Sorry for missing those patches...
(In reply to Indrek Ardel from comment #52)
Created attachment 75959 [details] Fix for nt_full_target string length
Hrm, that patch looks a bit suspicious. The only wcslen() removed is on a buffer that was just copied to with wcscpy(), so it should definitely be zero-terminated. Does the patch actually help?
nt_full_target is composed by concatenating two buffers: 1) nt_path is copied to beginning of nt_full_target.Buffer using wcscpy 2) nt_target.Buffer is copied to the position where nt_path's zero terminator would be using memcpy.
The second source string that is of type UNICODE_STRING, isn't guaranteed to end with a zero terminator itself. As it stands, the resulting nt_full_target.Buffer cannot be trusted to have a zero terminator either, which makes using wcslen on such a buffer include more characters when the uninitialized memory following it happens also to be containing non-zero characters. The patch avoids performing wcslen on the final buffer and the calculation is done by summing the two source string lengths together instead.