Module: wine Branch: master Commit: e58a67e9cd19bc1aef646e8f3fadaf0c490b38de URL: http://source.winehq.org/git/wine.git/?a=commit;h=e58a67e9cd19bc1aef646e8f3f...
Author: Hans Leidekker hans@codeweavers.com Date: Fri Sep 24 17:09:04 2010 +0200
msi: Avoid accessing memory before the left hand string in compare_substring.
---
dlls/msi/cond.y | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/dlls/msi/cond.y b/dlls/msi/cond.y index 9a7a16d..03ea493 100644 --- a/dlls/msi/cond.y +++ b/dlls/msi/cond.y @@ -462,11 +462,21 @@ static INT compare_substring( LPCWSTR a, INT operator, LPCWSTR b ) case COND_LHS: return 0 == strncmpW( a, b, lstrlenW( b ) ); case COND_RHS: - return 0 == lstrcmpW( a + (lstrlenW( a ) - lstrlenW( b )), b ); + { + int l = lstrlenW( a ); + int r = lstrlenW( b ); + if (r > l) return 0; + return 0 == lstrcmpW( a + (l - r), b ); + } case COND_ILHS: return 0 == strncmpiW( a, b, lstrlenW( b ) ); case COND_IRHS: - return 0 == lstrcmpiW( a + (lstrlenW( a ) - lstrlenW( b )), b ); + { + int l = lstrlenW( a ); + int r = lstrlenW( b ); + if (r > l) return 0; + return 0 == lstrcmpiW( a + (l - r), b ); + } default: ERR("invalid substring operator\n"); return 0;