9 Oct
2017
9 Oct
'17
11:33 a.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=4dafcc5ea250673993995…
commit 4dafcc5ea250673993995c4d5a60d8d250e9eb7a
Author: Mark Jansen <mark.jansen(a)reactos.org>
AuthorDate: Sun Oct 8 23:41:02 2017 +0200
[MSI] Fix a buffer overrun in build_default_format CORE-13881
Imported wine commit:
f517022: msi: Fix an invalid write in build_default_format (Valgrind).
---
dll/win32/msi/format.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/dll/win32/msi/format.c b/dll/win32/msi/format.c
index 10baa0ef04..3b8a472d15 100644
--- a/dll/win32/msi/format.c
+++ b/dll/win32/msi/format.c
@@ -323,29 +323,28 @@ static WCHAR *deformat_literal( FORMAT *format, FORMSTR *str, BOOL
*propfound,
return replaced;
}
-static LPWSTR build_default_format(const MSIRECORD* record)
+static WCHAR *build_default_format( const MSIRECORD *record )
{
- int i;
- int count;
- WCHAR *rc, buf[26];
static const WCHAR fmt[] = {'%','i',':','
','[','%','i',']',' ',0};
- DWORD size;
+ int i, count = MSI_RecordGetFieldCount( record );
+ WCHAR *ret, *tmp, buf[26];
+ DWORD size = 1;
- count = MSI_RecordGetFieldCount(record);
-
- rc = msi_alloc(1);
- rc[0] = 0;
- size = 1;
+ if (!(ret = msi_alloc( sizeof(*ret) ))) return NULL;
+ ret[0] = 0;
for (i = 1; i <= count; i++)
{
- sprintfW(buf, fmt, i, i);
- size += lstrlenW(buf);
- rc = msi_realloc(rc, size * sizeof(WCHAR));
- lstrcatW(rc, buf);
+ size += sprintfW( buf, fmt, i, i );
+ if (!(tmp = msi_realloc( ret, size * sizeof(*ret) )))
+ {
+ msi_free( ret );
+ return NULL;
+ }
+ ret = tmp;
+ strcatW( ret, buf );
}
-
- return rc;
+ return ret;
}
static BOOL format_is_number(WCHAR x)