Bill Medland : msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.

Module: wine Branch: refs/heads/master Commit: b56ed22277549dd7aa9a2b35951f9b2db7be870f URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=b56ed22277549dd7aa9a2b35...

Author: Bill Medland billmedland@mercuryspeed.com Date: Wed Dec 21 21:19:47 2005 +0100

msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.

---

dlls/msi/format.c | 8 +++++++- dlls/msi/tests/format.c | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/dlls/msi/format.c b/dlls/msi/format.c index c280541..85f9028 100644 --- a/dlls/msi/format.c +++ b/dlls/msi/format.c @@ -639,10 +639,15 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack

len = deformat_string_internal(package,rec,&deformated,strlenW(rec), record, NULL); + /* If len is zero then WideCharToMultiByte will return 0 indicating + * failure, but that will do just as well since we are ignoring + * possible errors. + */ lenA = WideCharToMultiByte(CP_ACP,0,deformated,len,NULL,0,NULL,NULL);

if (buffer) { + /* Ditto above */ WideCharToMultiByte(CP_ACP,0,deformated,len,buffer,*size,NULL, NULL); if (*size>lenA) { @@ -652,7 +657,8 @@ UINT MSI_FormatRecordA( MSIPACKAGE* pack else { rc = ERROR_MORE_DATA; - buffer[(*size)-1] = 0; + if (*size) + buffer[(*size)-1] = 0; } } else diff --git a/dlls/msi/tests/format.c b/dlls/msi/tests/format.c index 11cd455..59c6f11 100644 --- a/dlls/msi/tests/format.c +++ b/dlls/msi/tests/format.c @@ -109,7 +109,7 @@ static void test_formatrecord(void) char buffer[100]; MSIHANDLE hrec; UINT r; - DWORD sz=100; + DWORD sz;

r = MsiFormatRecord(0, 0, NULL, NULL ); ok( r == ERROR_INVALID_HANDLE, "wrong error\n"); @@ -122,6 +122,11 @@ static void test_formatrecord(void) ok( r == ERROR_SUCCESS, "format failed\n"); buffer[0] = 'x'; buffer[1] = 0; + sz=0; + r = MsiFormatRecord(0, hrec, buffer+1, &sz); + ok( r == ERROR_MORE_DATA && buffer[0] == 'x', "format failed measuring with buffer\n"); + ok( sz == 16, "size wrong\n"); + sz=100; r = MsiFormatRecord(0, hrec, buffer, &sz); ok( r == ERROR_SUCCESS, "format failed with empty buffer\n"); ok( sz == 16, "size wrong\n");