From 07f384454230a21eb1d51243789fa13b6510abe3 Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Fri, 1 Sep 2000 01:26:16 +0000
Subject: [PATCH] Avoid buffer overflows in builtin dll loading (with the help
 of Dmitry Timoshkov).

---
 if1632/builtin.c    |  9 ++++++---
 relay32/builtin32.c | 13 +++++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/if1632/builtin.c b/if1632/builtin.c
index c0ba5cc4ca5..0efda2de0e7 100644
--- a/if1632/builtin.c
+++ b/if1632/builtin.c
@@ -136,16 +136,19 @@ static HMODULE16 BUILTIN_DoLoadModule16( const BUILTIN16_DESCRIPTOR *descr )
  */
 HMODULE16 BUILTIN_LoadModule( LPCSTR name )
 {
-    char dllname[16], *p;
+    char dllname[20], *p;
     void *handle;
     int i;
 
     /* Fix the name in case we have a full path and extension */
 
     if ((p = strrchr( name, '\\' ))) name = p + 1;
-    lstrcpynA( dllname, name, sizeof(dllname) );
+    if ((p = strrchr( name, '/' ))) name = p + 1;
+
+    if (strlen(name) >= sizeof(dllname)-4) return (HMODULE16)2;
+
+    strcpy( dllname, name );
     p = strrchr( dllname, '.' );
-	 
     if (!p) strcat( dllname, ".dll" );
 
     for (i = 0; i < nb_dlls; i++)
diff --git a/relay32/builtin32.c b/relay32/builtin32.c
index c3851f2a07f..38ca10935f2 100644
--- a/relay32/builtin32.c
+++ b/relay32/builtin32.c
@@ -264,15 +264,19 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
 {
     HMODULE module;
     WINE_MODREF   *wm;
-    char           dllname[MAX_PATH], *p;
+    char dllname[20], *p;
+    LPCSTR name;
     void *handle;
     int i;
 
     /* Fix the name in case we have a full path and extension */
-    if ((p = strrchr( path, '\\' ))) p++;
-    else p = (char *)path; 
-    lstrcpynA( dllname, p, sizeof(dllname) );
+    name = path;
+    if ((p = strrchr( name, '\\' ))) name = p + 1;
+    if ((p = strrchr( name, '/' ))) name = p + 1;
 
+    if (strlen(name) >= sizeof(dllname)-4) goto error;
+
+    strcpy( dllname, name );
     p = strrchr( dllname, '.' );
     if (!p) strcat( dllname, ".dll" );
 
@@ -288,6 +292,7 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
         BUILTIN32_dlclose( handle );
     }
 
+ error:
     SetLastError( ERROR_FILE_NOT_FOUND );
     return NULL;