kernel32: Fix handling of overflows in GetPrivateProfileSectionA.

2009-10-08 16:28:17 +02:00 · 2009-10-08 16:28:17 +02:00 · 362ecd06f6
parent d62d442d6d
commit 362ecd06f6
2 changed files with 15 additions and 7 deletions
--- a/dlls/kernel32/profile.c
+++ b/dlls/kernel32/profile.c
@ -1386,23 +1386,23 @@ INT WINAPI GetPrivateProfileSectionA( LPCSTR section, LPSTR buffer,
        return 0;
    }

-    bufferW = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
+    bufferW = HeapAlloc(GetProcessHeap(), 0, len * 2 * sizeof(WCHAR));
    RtlCreateUnicodeStringFromAsciiz(&sectionW, section);
    if (filename) RtlCreateUnicodeStringFromAsciiz(&filenameW, filename);
    else filenameW.Buffer = NULL;

-    retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len, filenameW.Buffer);
-    if (len > 2)
+    retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len * 2, filenameW.Buffer);
+    if (retW)
    {
+        if (retW == len * 2 - 2) retW++;  /* overflow */
        ret = WideCharToMultiByte(CP_ACP, 0, bufferW, retW + 1, buffer, len, NULL, NULL);
-        if (ret > 2)
-            ret -= 1;
-        else
+        if (!ret || ret == len)  /* overflow */
        {
-            ret = 0;
+            ret = len - 2;
            buffer[len-2] = 0;
            buffer[len-1] = 0;
        }
+        else ret--;
    }
    else
    {
--- a/dlls/kernel32/tests/profile.c
+++ b/dlls/kernel32/tests/profile.c
@ -236,6 +236,14 @@ static void test_profile_sections(void)
        broken(GetLastError() == 0xdeadbeef), /* Win9x, WinME */
        "expected ERROR_SUCCESS, got %d\n", GetLastError());

+    /* Overflow*/
+    ret=GetPrivateProfileSectionA("section1", buf, 24, testfile4);
+    for( p = buf + strlen(buf) + 1; *p;p += strlen(p)+1)
+        p[-1] = ',';
+    ok( ret == 22 && !strcmp( buf, "name1=val1,name2=,name"), "wrong section returned(%d): %s\n",
+        ret, buf);
+    ok( buf[ret] == 0 && buf[ret+1] == 0, "returned buffer not terminated with double-null\n" );
+
    DeleteFileA( testfile4 );
 }