Module: wine Branch: master Commit: d1db29e801f378f7310fa66ff54980368db1869b URL: http://source.winehq.org/git/wine.git/?a=commit;h=d1db29e801f378f7310fa66ff5...
Author: Rob Shearman robertshearman@gmail.com Date: Fri Nov 20 14:37:13 2009 +0000
ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.
The string in format is nul-terminated so use memcpy to copy it into the buffer and don't try to nul-terminate it manually which causes a write outside of the allocated buffer length.
Fix a similar off-by-one error in CLIPFORMAT_UserUnmarshal too. This time it is only reading from beyond the buffer.
---
dlls/ole32/usrmarshal.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/dlls/ole32/usrmarshal.c b/dlls/ole32/usrmarshal.c index f180f42..ed31620 100644 --- a/dlls/ole32/usrmarshal.c +++ b/dlls/ole32/usrmarshal.c @@ -170,11 +170,9 @@ unsigned char * __RPC_USER CLIPFORMAT_UserMarshal(ULONG *pFlags, unsigned char * pBuffer += sizeof(UINT); *(UINT *)pBuffer = len; pBuffer += sizeof(UINT); - TRACE("marshaling format name %s\n", debugstr_wn(format, len-1)); - lstrcpynW((LPWSTR)pBuffer, format, len); + TRACE("marshaling format name %s\n", debugstr_w(format)); + memcpy(pBuffer, format, len * sizeof(WCHAR)); pBuffer += len * sizeof(WCHAR); - *(WCHAR *)pBuffer = '\0'; - pBuffer += sizeof(WCHAR); } else { @@ -238,11 +236,11 @@ unsigned char * __RPC_USER CLIPFORMAT_UserUnmarshal(ULONG *pFlags, unsigned char if (*(UINT *)pBuffer != len) RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL); pBuffer += sizeof(UINT); - if (((WCHAR *)pBuffer)[len] != '\0') + if (((WCHAR *)pBuffer)[len - 1] != '\0') RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL); TRACE("unmarshaling clip format %s\n", debugstr_w((LPCWSTR)pBuffer)); cf = RegisterClipboardFormatW((LPCWSTR)pBuffer); - pBuffer += (len + 1) * sizeof(WCHAR); + pBuffer += len * sizeof(WCHAR); if (!cf) RaiseException(DV_E_CLIPFORMAT, 0, 0, NULL); *pCF = cf;