On Jun 4, 2011, at 8:02 AM, Gerald Pfeifer wrote:

Resending: This really looks like a straightforward bug fix and the current code definitely wrong???

No. As others have pointed out, your logic is wrong. The existing code is correct.

The difference between two pointers (of the same type) is the number of elements, not the number of bytes. Thus the code below was way incorrect, luckily only too conversative.

So, ptr-path is the number of elements between the two pointers. But sizeof(root) is a number of bytes. The precise reason to divide the latter by sizeof(WCHAR) is to arrive at a number of elements so it is proper to compare to ptr-path.

Put another way, look a bit lower in the code:

        memcpy(root, path, (ptr-path)*sizeof(WCHAR));

It is clear that (ptr-path)*sizeof(WCHAR), a measure of bytes, must be no larger than the size of root in bytes. Thus, this is the requirement:

(ptr-path)*sizeof(WCHAR) <= sizeof(root)

Dividing both sides by sizeof(WCHAR) gives an equivalent requirement:

(ptr-path) <= sizeof(root)/sizeof(WCHAR)

which is exactly what the code, as is, tests. (Except that the current code doesn't allow for the equal case, in order to preserve a null terminator.)

Regards, Ken

---

dlls/urlmon/sec_mgr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/dlls/urlmon/sec_mgr.c b/dlls/urlmon/sec_mgr.c index 7b4bb35..75850ee 100644 --- a/dlls/urlmon/sec_mgr.c +++ b/dlls/urlmon/sec_mgr.c @@ -529,7 +529,7 @@ static HRESULT map_url_to_zone(LPCWSTR url, DWORD *zone, LPWSTR *ret_url) hres = CoInternetParseUrl(secur_url, PARSE_PATH_FROM_URL, 0, path, sizeof(path)/sizeof(WCHAR), &size, 0);

•    if(SUCCEEDED(hres) && (ptr = strchrW(path, '\\')) && ptr-path < sizeof(root)/sizeof(WCHAR)) {
  

•    if(SUCCEEDED(hres) && (ptr = strchrW(path, '\\')) && ptr-path < sizeof(root)) {
        UINT type;
  
        memcpy(root, path, (ptr-path)*sizeof(WCHAR));
  

-- 1.7.4.1