Hi.

On 15/10/30 下午11:08, Piotr Caban wrote:

On 10/29/15 16:28, YongHao Hu wrote:

+    char temppath[MAX_PATH+1];
+    TRACE("(%p %s %p %p)\n", target, debugstr_a(dest), err_code, type);
+    if(strlen(dest) >= MAX_PATH) {
+        *err_code = ERROR_BAD_PATHNAME;
+        return NULL;
+    }
+    strcpy(temppath, dest);
+    strcat(temppath, "\\*");

There may still write outside of temppath array in this code.

I had sent a new patch to upstream.
I think it will fix possible buffer overflow this time.
Thank you very much.