Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=57613
By writing beyond the end of the buffer some heap block list pointer gets partially overwritten, and therefore crashes on a later call to `RtlAllocateHeap`.
From: Bernhard Übelacker bernhardu@mailbox.org
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=57613 --- dlls/nsiproxy.sys/ip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/nsiproxy.sys/ip.c b/dlls/nsiproxy.sys/ip.c index 32ba6241761..1a810f70584 100644 --- a/dlls/nsiproxy.sys/ip.c +++ b/dlls/nsiproxy.sys/ip.c @@ -1215,7 +1215,7 @@ static NTSTATUS ipv4_neighbour_enumerate_all( void *key_data, UINT key_size, voi for (j = 0; j < ARRAY_SIZE(ipv4_multicast_addresses); ++j) { if (iface_static[i].unk & (1 << j)) continue; - if (num <= *count) + if (num < *count) { entry.addr.s_addr = ipv4_multicast_addresses[j]; ipv4_neighbour_fill_entry( &entry, key_data, rw_data, dynamic_data, static_data );
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)