http://bugs.winehq.org/show_bug.cgi?id=10739
Marcus Meissner marcus@jet.franken.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |UNCONFIRMED Resolution|WORKSFORME |
--- Comment #9 from Marcus Meissner marcus@jet.franken.de 2007-12-13 10:49:27 --- fixme:msi:msi_dialog_vcl_add_columns before lstrcpynW, end-begin is 27, string is L"\VSI_MS_Sans_Serif13.0_0_0}"
Program received signal SIGABRT, Aborted. [Switching to Thread 0xf7ca6a00 (LWP 1957)] 0xffffe405 in __kernel_vsyscall () (gdb) bt #0 0xffffe405 in __kernel_vsyscall () #1 0xf7cd48f5 in raise () from /lib/libc.so.6 #2 0xf7cd61e1 in abort () from /lib/libc.so.6 #3 0x7fb72b25 in msi_dialog_vcl_add_columns (dialog=0x7fe9c268, control=0x7fea6e88, rec=0x7fea3e10) at /suse/meissner/projects/wine-git/include/winbase.h:2139 #4 0x7fb72bd3 in msi_dialog_volumecost_list (dialog=0x7fe9c268, rec=0x7fea3e10) at /suse/meissner/projects/wine-git/dlls/msi/dialog.c:2567 #5 0x7fb6b643 in msi_dialog_create_controls (rec=0x7fea3e10, param=0x7fe9c268) at /suse/meissner/projects/wine-git/dlls/msi/dialog.c:2689 #6 0x7fb89fef in MSI_IterateRecords (view=0x7fe9e810, count=0x0, func=0x7fb6b5e0 <msi_dialog_create_controls>, param=0x7fe9c268) at /suse/meissner/projects/wine-git/dlls/msi/msiquery.c:190
FIXME("before lstrcpynW, end-begin is %d, string is %s\n", end-begin, debugstr_wn(begin + 1,end-begin));
It overflows the 10 WCHAR num buffer.
the lstrcpynW() should limits its size by buffer, not by end-begin.