Fixed a buffer overflow in RefreshListView. Modified: trunk/reactos/subsys/system/regedit/listview.c _____

Modified: trunk/reactos/subsys/system/regedit/listview.c --- trunk/reactos/subsys/system/regedit/listview.c 2005-12-04 15:09:07 UTC (rev 19871) +++ trunk/reactos/subsys/system/regedit/listview.c 2005-12-04 15:18:11 UTC (rev 19872) @@ -552,12 +552,10 @@

errCode = RegQueryInfoKey(hNewKey, NULL, NULL, NULL, NULL, &max_sub_key_len, NULL, &val_count, &max_val_name_len, &max_val_size, NULL, NULL);

- #define BUF_HEAD_SPACE 2 /* FIXME: check why this is required with ROS ??? */ - if (errCode == ERROR_SUCCESS) { - TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0, ++max_val_name_len * sizeof(TCHAR) + BUF_HEAD_SPACE); + TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0, ++max_val_name_len * sizeof(TCHAR)); DWORD dwValNameLen = max_val_name_len; - BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, ++max_val_size/* + BUF_HEAD_SPACE*/); + BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, max_val_size + sizeof(TCHAR)); DWORD dwValSize = max_val_size; DWORD dwIndex = 0L; DWORD dwValType; @@ -566,7 +564,8 @@ /* } */ /* dwValSize = max_val_size; */ while (RegEnumValue(hNewKey, dwIndex, ValName, &dwValNameLen, NULL, &dwValType, ValBuf, &dwValSize) == ERROR_SUCCESS) { - ValBuf[dwValSize] = 0; + /* Add a terminating 0 character. Usually this is only necessary for strings. */ + ((TCHAR*)ValBuf)[dwValSize/sizeof(TCHAR)] = 0; AddEntryToList(hwndLV, ValName, dwValType, ValBuf, dwValSize, -1, TRUE); dwValNameLen = max_val_name_len; dwValSize = max_val_size;