[jmorlan] 42623: Fix a buffer overflow in ConvertULargeInteger - Ros-diffs

11 Aug 2009

Author: jmorlan
Date: Tue Aug 11 18:21:46 2009
New Revision: 42623
URL: http://svn.reactos.org/svn/reactos?rev=42623&view=rev
Log:
Fix a buffer overflow in ConvertULargeInteger
Modified:
    trunk/reactos/base/shell/cmd/cmd.c
Modified: trunk/reactos/base/shell/cmd/cmd.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/cmd.c?rev=42...
==============================================================================

--- trunk/reactos/base/shell/cmd/cmd.c [iso-8859-1] (original)
+++ trunk/reactos/base/shell/cmd/cmd.c [iso-8859-1] Tue Aug 11 18:21:46 2009
@@ -182,7 +182,7 @@
 INT
 ConvertULargeInteger(ULONGLONG num, LPTSTR des, INT len, BOOL bPutSeperator)
 {
-	TCHAR temp[32];
+	TCHAR temp[39];   /* maximum length with nNumberGroups == 1 */
    UINT  n, iTarget;
if (len <= 1)
@@ -198,15 +198,15 @@
    	if (iTarget == n && bPutSeperator)
    	{
    		iTarget += nNumberGroups + 1;
-			temp[31 - n++] = cThousandSeparator;
-		}
-		temp[31 - n++] = (TCHAR)(num % 10) + _T('0');
+			temp[38 - n++] = cThousandSeparator;
+		}
+		temp[38 - n++] = (TCHAR)(num % 10) + _T('0');
    	num /= 10;
    } while (num > 0);
    if (n > len-1)
    	n = len-1;
-	memcpy(des, temp + 32 - n, n * sizeof(TCHAR));
+	memcpy(des, temp + 39 - n, n * sizeof(TCHAR));
    des[n] = _T('\0');
return n;

    