When button_count is 0, we would allocate 0 bytes for line_widths, but later line_count would be 1 so we would still try to access line_widths[0] which is out-of-bound.
From: Yuxuan Shui yshui@codeweavers.com
--- programs/cmd/wcmdmain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c index e51f7cb7781..ed890a65db0 100644 --- a/programs/cmd/wcmdmain.c +++ b/programs/cmd/wcmdmain.c @@ -3398,7 +3398,8 @@ enum read_parse_line WCMD_ReadAndParseLine(const WCHAR *optionalcmd, CMD_NODE ** /* See if 1>, 2> etc, in which case we have some patching up to do (provided there's a preceding whitespace, and enough chars read so far) */ - if (curPos[-1] >= L'1' && curPos[-1] <= L'9' && (curStringLen == 1 || iswspace(curPos[-2]))) + if (curPos != extraSpace && curPos[-1] >= L'1' && curPos[-1] <= L'9' && + (curStringLen == 1 || iswspace(curPos[-2]))) { curStringLen--; curString[curStringLen] = L'\0';
From: Yuxuan Shui yshui@codeweavers.com
--- programs/cmd/wcmdmain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c index ed890a65db0..c59df7d30c9 100644 --- a/programs/cmd/wcmdmain.c +++ b/programs/cmd/wcmdmain.c @@ -2045,7 +2045,7 @@ static RETURN_CODE search_command(WCHAR *command, struct search_command *sc, BOO
/* Remove quotes */ length = wcslen(sc->path); - if (sc->path[length - 1] == L'"') + if (length && sc->path[length - 1] == L'"') sc->path[length - 1] = 0;
if (*sc->path != L'"')
From: Yuxuan Shui yshui@codeweavers.com
When button_count is 0, we would allocate 0 bytes for line_widths, but later line_count would be 1 so we would still try to access line_widths[0] which is out-of-bound. --- dlls/comctl32/taskdialog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/comctl32/taskdialog.c b/dlls/comctl32/taskdialog.c index 2f8f6de5a4e..c6815cff9ac 100644 --- a/dlls/comctl32/taskdialog.c +++ b/dlls/comctl32/taskdialog.c @@ -965,7 +965,7 @@ static void taskdialog_layout(struct taskdialog_info *dialog_info)
/* Common and custom buttons */ button_layout_infos = Alloc(dialog_info->button_count * sizeof(*button_layout_infos)); - line_widths = Alloc(dialog_info->button_count * sizeof(*line_widths)); + line_widths = Alloc(max(dialog_info->button_count, 1) * sizeof(*line_widths));
button_min_width = DIALOG_BUTTON_WIDTH; button_height = DIALOG_BUTTON_HEIGHT;
-
Yuxuan Shui -
Yuxuan Shui (@yshui)