http://bugs.winehq.org/show_bug.cgi?id=19720
--- Comment #24 from Juan Lang juan_lang@yahoo.com 2009-08-20 16:58:07 --- (In reply to comment #23)
In function bstr_to_utf8, the SysStringLen(bstr) call is returning a string length greater than the actual string, thus it buffer overruns.
The question is, why is the length of the BSTR bogus? Are they passing a WCHAR * as a BSTR, and the length before it is whatever happens to be before it in memory? This seems reasonably likely, as the length value seen in the log is: =>0 0xb7e0d1da wine_utf8_wcstombs+0x16a(flags=<is not available>, src=0x341000, srclen=2139062297, dst=0x0, dstlen=0) [/home/pbouman/Bureaublad/wine-1.1.27/libs/wine/utf8.c:69] in libwine.so.1 (0x0032b80c)
2139062297 is 0x7f7f8019, which, at first glance, seems like an unreasonably large XML document.
If you change the call SysStringLen to strlenW, it appears to doesn't crash in the bstr_to_utf8 anymore, but properly not the right fix.
I don't see why not: UTF8 is also NULL-terminated, so converting additional characters after the first NULL doesn't seem like it could be useful. A BSTR is both length-prefixed and NULL-terminated, so if a NULL isn't found there's an application bug anyway.
As always, tests would help. Two tests come to mind: 1. How does native behave with a BSTR that has a valid length (prefix), but no NULL terminator? 2. How does native behave when passed a WCHAR * rather than a BSTR?