Zhiyi Zhang : compstui: Fix a possible out-of-bounds write (Coverity). - wine-commits

18 Jan 2024

Module: wine
Branch: master
Commit: 6164432aa7ec7a575a8753d93b62684c93dbe5a0
URL:    https://gitlab.winehq.org/wine/wine/-/commit/6164432aa7ec7a575a8753d93b62684...
Author: Zhiyi Zhang zzhang@codeweavers.com
Date:   Sat Dec 30 12:09:03 2023 +0800
compstui: Fix a possible out-of-bounds write (Coverity).
When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter
being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds.
---
dlls/compstui/compstui_main.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/dlls/compstui/compstui_main.c b/dlls/compstui/compstui_main.c
index 60d5f9891b0..108ef64bd78 100644
--- a/dlls/compstui/compstui_main.c
+++ b/dlls/compstui/compstui_main.c
@@ -478,18 +478,22 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER
             (!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
     {
         len = wcslen(title);
-        if (len < ARRAY_SIZE(title))
+        if (len < ARRAY_SIZE(title) - 1)
+        {
             title[len++] = ' ';
-        LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
+            LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
+        }
     }
if ((header->flags & PSUIHDRF_PROPTITLE) &&
             (!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
     {
         len = wcslen(title);
-        if (len < ARRAY_SIZE(title))
+        if (len < ARRAY_SIZE(title) - 1)
+        {
             title[len++] = ' ';
-        LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
+            LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
+        }
     }
psh.nPages = ps->pages_cnt;

    