Fixed a buffer overflow in RefreshListView.
Modified: trunk/reactos/subsys/system/regedit/listview.c
_____
Modified: trunk/reactos/subsys/system/regedit/listview.c
--- trunk/reactos/subsys/system/regedit/listview.c 2005-12-04
15:09:07 UTC (rev 19871)
+++ trunk/reactos/subsys/system/regedit/listview.c 2005-12-04
15:18:11 UTC (rev 19872)
@@ -552,12 +552,10 @@
errCode = RegQueryInfoKey(hNewKey, NULL, NULL, NULL, NULL,
&max_sub_key_len, NULL,
&val_count, &max_val_name_len,
&max_val_size, NULL, NULL);
- #define BUF_HEAD_SPACE 2 /* FIXME: check why this is required with
ROS ??? */
-
if (errCode == ERROR_SUCCESS) {
- TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0,
++max_val_name_len * sizeof(TCHAR) + BUF_HEAD_SPACE);
+ TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0,
++max_val_name_len * sizeof(TCHAR));
DWORD dwValNameLen = max_val_name_len;
- BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, ++max_val_size/*
+ BUF_HEAD_SPACE*/);
+ BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, max_val_size +
sizeof(TCHAR));
DWORD dwValSize = max_val_size;
DWORD dwIndex = 0L;
DWORD dwValType;
@@ -566,7 +564,8 @@
/* } */
/* dwValSize = max_val_size; */
while (RegEnumValue(hNewKey, dwIndex, ValName, &dwValNameLen,
NULL, &dwValType, ValBuf, &dwValSize) == ERROR_SUCCESS) {
- ValBuf[dwValSize] = 0;
+ /* Add a terminating 0 character. Usually this is only
necessary for strings. */
+ ((TCHAR*)ValBuf)[dwValSize/sizeof(TCHAR)] = 0;
AddEntryToList(hwndLV, ValName, dwValType, ValBuf,
dwValSize, -1, TRUE);
dwValNameLen = max_val_name_len;
dwValSize = max_val_size;
Show replies by date