Stefan Leichter Stefan.Leichter@camline.com writes:

• switch(dwLevel) {

•    case SERVICE_CONFIG_DESCRIPTION: {
  

•        static const WCHAR szDescription[] = {'D','e','s','c','r','i','p','t','i','o','n',0};
  

•        LPSERVICE_DESCRIPTIONW config = (LPSERVICE_DESCRIPTIONW) buffer;
  

•        *needed = sizeof (SERVICE_DESCRIPTIONW);
  

•        sz = size - *needed;
  

•        r = RegQueryValueExW( hKey, szDescription, 0, &type, (LPBYTE) (config ? config + 1: NULL), &sz );
  

•        if((r == ERROR_SUCCESS) && ( type != REG_SZ)) {
  

•            FIXME("SERVICE_CONFIG_DESCRIPTION: don't know how to handle type %d\n", type);
  

•            return FALSE;
  

•        }
  

•        *needed += sz;
  

•        if(config) {
  

•            if(r == ERROR_SUCCESS)
  

•                config->lpDescription = (LPWSTR) (config + 1);
  

•            else
  

•                config->lpDescription = NULL;
  

You are still not handling overflows correctly. What happens if size is less than sizeof(SERVICE_DESCRIPTIONW)?