23 Apr
2016
23 Apr
'16
12:24 p.m.
On 23.04.2016 11:56, Hugh McMaster wrote:
On Saturday, 23 April 2016 3:35 AM, Sebastian Lackner wrote:
The current calculation does not take the terminating \0 into account.
-buffer = HeapAlloc(GetProcessHeap(), 0, tmp_size * 2); +buffer = HeapAlloc(GetProcessHeap(), 0, tmp_size * 2 + sizeof(WCHAR));
Which particular cases cause the heap corruption?
-- Hugh McMaster
It happens for example with a string like L"\0\0\0\0". After stripping off the last two "\0" the allocated memory will have a size of 4 characters, but the code below writes 5 characters. You can also test with warn+heap after creating such a registry key.