LPWSTR __cdecl wcsncpy( LPWSTR s1, LPCWSTR s2, size_t n ) { WCHAR *ret = s1; **//When encountering 0, the loop will jump out directly, but the pointer of s1 has been++, which leads to the memory overflow of the second for** for ( ; n; n--) if (!(*s1++ = *s2++)) break; for ( ; n; n--) *s1++ = 0; return ret; }
From: li wenzhe 584592187@qq.com
--- dlls/ntdll/wcstring.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/dlls/ntdll/wcstring.c b/dlls/ntdll/wcstring.c index aa43c3de16b..96c51bd960f 100644 --- a/dlls/ntdll/wcstring.c +++ b/dlls/ntdll/wcstring.c @@ -353,7 +353,12 @@ int __cdecl wcsncmp( LPCWSTR str1, LPCWSTR str2, size_t n ) LPWSTR __cdecl wcsncpy( LPWSTR s1, LPCWSTR s2, size_t n ) { WCHAR *ret = s1; - for ( ; n; n--) if (!(*s1++ = *s2++)) break; + for ( ; n; n--) { + if (!(*s1++ = *s2++)) { + n--; + break; + } + } for ( ; n; n--) *s1++ = 0; return ret; }
Solve wcsncpy memory write overflow
Hi, Wenzhe, it would be better to use correct case for your name. "Wenzhe Li" or "Li Wenzhe" I think.
yeah,Has been changed to Li Wenzhe
-
li wenzhe -
li wenzhe (@chrisli)
-
Ziqing Hui (@zhui)