From 362ecd06f6abc2d1296c4ba2aa522825d2fe7c35 Mon Sep 17 00:00:00 2001 From: Alexandre Julliard Date: Thu, 8 Oct 2009 16:28:17 +0200 Subject: [PATCH] kernel32: Fix handling of overflows in GetPrivateProfileSectionA. --- dlls/kernel32/profile.c | 14 +++++++------- dlls/kernel32/tests/profile.c | 8 ++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/dlls/kernel32/profile.c b/dlls/kernel32/profile.c index 8a787da2c7f..aa223c7d9de 100644 --- a/dlls/kernel32/profile.c +++ b/dlls/kernel32/profile.c @@ -1386,23 +1386,23 @@ INT WINAPI GetPrivateProfileSectionA( LPCSTR section, LPSTR buffer, return 0; } - bufferW = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)); + bufferW = HeapAlloc(GetProcessHeap(), 0, len * 2 * sizeof(WCHAR)); RtlCreateUnicodeStringFromAsciiz(§ionW, section); if (filename) RtlCreateUnicodeStringFromAsciiz(&filenameW, filename); else filenameW.Buffer = NULL; - retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len, filenameW.Buffer); - if (len > 2) + retW = GetPrivateProfileSectionW(sectionW.Buffer, bufferW, len * 2, filenameW.Buffer); + if (retW) { + if (retW == len * 2 - 2) retW++; /* overflow */ ret = WideCharToMultiByte(CP_ACP, 0, bufferW, retW + 1, buffer, len, NULL, NULL); - if (ret > 2) - ret -= 1; - else + if (!ret || ret == len) /* overflow */ { - ret = 0; + ret = len - 2; buffer[len-2] = 0; buffer[len-1] = 0; } + else ret--; } else { diff --git a/dlls/kernel32/tests/profile.c b/dlls/kernel32/tests/profile.c index a1bf96703b7..e3f71560e90 100644 --- a/dlls/kernel32/tests/profile.c +++ b/dlls/kernel32/tests/profile.c @@ -236,6 +236,14 @@ static void test_profile_sections(void) broken(GetLastError() == 0xdeadbeef), /* Win9x, WinME */ "expected ERROR_SUCCESS, got %d\n", GetLastError()); + /* Overflow*/ + ret=GetPrivateProfileSectionA("section1", buf, 24, testfile4); + for( p = buf + strlen(buf) + 1; *p;p += strlen(p)+1) + p[-1] = ','; + ok( ret == 22 && !strcmp( buf, "name1=val1,name2=,name"), "wrong section returned(%d): %s\n", + ret, buf); + ok( buf[ret] == 0 && buf[ret+1] == 0, "returned buffer not terminated with double-null\n" ); + DeleteFileA( testfile4 ); }