Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=39699 Signed-off-by: Bernhard Übelacker bernhardu@mailbox.org --- Supersedes: 209112 Changes: v1: https://www.winehq.org/pipermail/wine-devel/2021-July/thread.html#190184 v2: Use memchr instead of reimplementing strnchr.

The crash occours like below, because the second """ is found outside of html_fragment_len. Therefore the length given to memcpy is negative. Seems it must not be relied up on that the input string has a proper null termination.

At least the search index of this file looks bogus even when opened inside windows.

wine hh.exe "c:\Program Files\OPG\EDTW\edtw.chm"

(rr) bt #0 0x70bae108 in copy_bwd () #1 0x7ffc2000 in ?? () #2 0x68dca5a1 in decode_html (html_fragment=0xd73c35 "h", html_fragment_len=87, code_page=1252) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1943 #3 0x68dcde24 in parse_hhindex (info=<optimized out>, str=<optimized out>, item=0xd73788) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:113 #4 0x68dce62c in InitIndex (info=0x2878b8) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:279 #5 0x68dc9f51 in CreateHelpViewer (info=0x2878b8, filename=0x21fab8, caller=0x10020) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1755 #6 0x68dcb110 in HtmlHelpW@16 (caller=0x10020, filename=0x286140, command=0, data=0) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/hhctrl.c:192 #7 0x68dcd27d in doWinMain@8 (hInstance=0x1000000, szCmdLine=<optimized out>) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/hhctrl.c:564 #8 0x010013f0 in ?? () #9 0x0100170d in ?? () #10 0x7b62e250 in WriteTapemark@16 ()

# some instructions reverse: (rr) bt #0 0x70badfc0 in sse2_memmove () #1 0x70bb4e4e in memcpy (dst=0xd73dca, src=0xd73cb9, n=4294967251) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/msvcrt/string.c:2750 #2 0x68dca5a1 in decode_html (html_fragment=0xd73c35 "XE &quot;Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellungen f\374r Type">\r\n\t\t<param name="See Also" value="XE &quot;Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellunge"..., html_fragment_len=87, code_page=1252) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/help.c:1943 #3 0x68dcde24 in parse_hhindex (info=<optimized out>, str=<optimized out>, item=0xd73788) at /home/bernhard/data/entwicklung/2021/wine/wine-git/wine-git/dlls/hhctrl.ocx/index.c:113 ...

(rr) print html_fragment_len $5 = 87 (rr) print html_fragment $7 = 0xd73c35 "XE &quot;Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellungen f\374r Type">\r\n\t\t<param name="See Also" value="XE &quot;Datei-Endung \r\nK K K K K K K K K K K K K <!--tab-->Die Einstellunge"... --- dlls/hhctrl.ocx/help.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/hhctrl.ocx/help.c b/dlls/hhctrl.ocx/help.c index 06f73358f44..e9957a86e73 100644 --- a/dlls/hhctrl.ocx/help.c +++ b/dlls/hhctrl.ocx/help.c @@ -1898,14 +1898,14 @@ WCHAR *decode_html(const char *html_fragment, int html_fragment_len, UINT code_p while(1) { symbol = 0; - amp = strchr(h, '&'); + amp = memchr(h, '&', html_fragment + html_fragment_len - h); if(!amp) break; len = amp-h; /* Copy the characters prior to the HTML encoded character */ memcpy(&tmp[tmp_len], h, len); tmp_len += len; amp++; /* skip ampersand */ - sem = strchr(amp, ';'); + sem = memchr(amp, ';', html_fragment + html_fragment_len - amp); /* Require a semicolon after the ampersand */ if(!sem) {