The value after the hash is 1-based, but find_ordinal_export expects a 0-based value - compare with other calls to this function elsewhere in the file. Ordinal forwards are pretty rare, which is presumably why it hasn't been spotted before now.
Signed-off-by: Mark Harmstone mark@harmstone.com --- dlls/ntdll/loader.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c index 1f8c67e6ba1..3a90d0b0856 100644 --- a/dlls/ntdll/loader.c +++ b/dlls/ntdll/loader.c @@ -642,9 +642,11 @@ static FARPROC find_forwarded_export( HMODULE module, const char *forward, LPCWS IMAGE_DIRECTORY_ENTRY_EXPORT, &exp_size ))) { const char *name = end + 1; - if (*name == '#') /* ordinal */ - proc = find_ordinal_export( wm->ldr.DllBase, exports, exp_size, atoi(name+1), load_path ); - else + + if (*name == '#') { /* ordinal */ + proc = find_ordinal_export( wm->ldr.DllBase, exports, exp_size, + atoi(name+1) - exports->Base, load_path ); + } else proc = find_named_export( wm->ldr.DllBase, exports, exp_size, name, -1, load_path ); }