test_logfont in dlls/gdi32/tests/font.c calls CreateFontIndirectA with a non-null-terminated font name and expects it to not crash.
-- v2: gdi32: Limit source string length in logfont_AtoW (ASan).
From: Alex Henrie alexhenrie24@gmail.com
test_logfont in dlls/gdi32/tests/font.c calls CreateFontIndirectA with a non-null-terminated font name and expects it to not crash. --- dlls/gdi32/text.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/gdi32/text.c b/dlls/gdi32/text.c index 6be622a2312..d5ada5d9200 100644 --- a/dlls/gdi32/text.c +++ b/dlls/gdi32/text.c @@ -781,8 +781,8 @@ static void text_metric_ex_WtoA(const NEWTEXTMETRICEXW *tmW, NEWTEXTMETRICEXA *t static void logfont_AtoW( const LOGFONTA *fontA, LPLOGFONTW fontW ) { memcpy( fontW, fontA, sizeof(LOGFONTA) - LF_FACESIZE ); - MultiByteToWideChar( CP_ACP, 0, fontA->lfFaceName, -1, fontW->lfFaceName, - LF_FACESIZE ); + MultiByteToWideChar( CP_ACP, 0, fontA->lfFaceName, LF_FACESIZE - 1, + fontW->lfFaceName, LF_FACESIZE - 1 ); fontW->lfFaceName[LF_FACESIZE - 1] = 0; }
Alexandre Julliard (@julliard) commented about dlls/gdi32/text.c:
static void logfont_AtoW( const LOGFONTA *fontA, LPLOGFONTW fontW ) { memcpy( fontW, fontA, sizeof(LOGFONTA) - LF_FACESIZE );
- MultiByteToWideChar( CP_ACP, 0, fontA->lfFaceName, -1, fontW->lfFaceName,
LF_FACESIZE );
- MultiByteToWideChar( CP_ACP, 0, fontA->lfFaceName, LF_FACESIZE - 1,
fontW->lfFaceName, LF_FACESIZE - 1 );
This would convert potentially uninitialized data.
On Wed Apr 30 04:43:09 2025 +0000, Alexandre Julliard wrote:
This would convert potentially uninitialized data.
We'd better use strnlen then.
-
Alex Henrie -
Alex Henrie (@alexhenrie)
-
Alexandre Julliard (@julliard)