Alistair Leslie-Hughes leslie_alistair@hotmail.com writes:

@@ -141,30 +175,56 @@ static HRESULT WINAPI IDirectPlay8PeerImpl_EnumServiceProviders(IDirectPlay8Peer else { FIXME("Application requested a provider we don't handle (yet)\n");

•    *pcReturned = 0;
     return DPNERR_DOESNOTEXIST;
  

  }

  if(*pcbEnumData < req_size) {

•    RegCloseKey(key);
  

•    *pcbEnumData = req_size;
     return DPNERR_BUFFERTOOSMALL;
  

  }

• pSPInfoBuffer->pwszName = (LPWSTR)(pSPInfoBuffer + 1);
• if(!pguidServiceProvider) {

•    lstrcpyW(pSPInfoBuffer->pwszName, dp_providerW);
  

•    pSPInfoBuffer->guid = CLSID_DP8SP_TCPIP;
  

•    int offset = 1;
  

•    int count = 0;
  

•    LPWSTR infoend = ((LPWSTR)pSPInfoBuffer + (sizeof(DPN_SERVICE_PROVIDER_INFO) * (*pcReturned)));
  

•    index = 0;
  

•    nextKeyNameResult = RegEnumKeyW( key, index, provider, MAX_PATH);
  

•    while(nextKeyNameResult == ERROR_SUCCESS)
  

•    {
  

•        DWORD dwBufLen = 350;
  

•        WCHAR name[350];
  

•        res = RegGetValueW( key, provider, friendly, RRF_RT_REG_SZ, NULL, name, &dwBufLen);
  

•        if(res == ERROR_SUCCESS)
  

•        {
  

•            pSPInfoBuffer[count].guid = CLSID_DP8SP_TCPIP;
  

•            pSPInfoBuffer[count].pwszName = (LPWSTR)(infoend + offset);
  

•            lstrcpyW(pSPInfoBuffer[count].pwszName, name);
  

•            offset += dwBufLen/sizeof(WCHAR);
  

•            count++;
  

•        }
  

•        index++;
  

•        nextKeyNameResult = RegEnumKeyW( key, index, provider, MAX_PATH );
  

•    }
  

The buffer sizes and pointers are pretty much all handled incorrectly.