When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds.
From: Zhiyi Zhang zzhang@codeweavers.com
When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds. --- dlls/compstui/compstui_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dlls/compstui/compstui_main.c b/dlls/compstui/compstui_main.c index 60d5f9891b0..57fe0879c0c 100644 --- a/dlls/compstui/compstui_main.c +++ b/dlls/compstui/compstui_main.c @@ -480,7 +480,8 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER len = wcslen(title); if (len < ARRAY_SIZE(title)) title[len++] = ' '; - LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len); + if (ARRAY_SIZE(title) - len > 0) + LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len); }
if ((header->flags & PSUIHDRF_PROPTITLE) && @@ -489,7 +490,8 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER len = wcslen(title); if (len < ARRAY_SIZE(title)) title[len++] = ' '; - LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len); + if (ARRAY_SIZE(title) - len > 0) + LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len); }
psh.nPages = ps->pages_cnt;
-
Zhiyi Zhang -
Zhiyi Zhang (@zhiyi)