[cwittich] 30599: limit length of szValue to LF_FACESIZE to prevent a buffer overflow initialize szValue - Ros-diffs

20 Nov 2007

Author: cwittich
Date: Tue Nov 20 19:05:59 2007
New Revision: 30599
URL: http://svn.reactos.org/svn/reactos?rev=30599&view=rev
Log:
limit length of szValue to LF_FACESIZE to prevent a buffer overflow
initialize szValue
Modified:
    trunk/reactos/subsystems/win32/csrss/win32csr/guiconsole.c
Modified: trunk/reactos/subsystems/win32/csrss/win32csr/guiconsole.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/csrss/win3...
==============================================================================

--- trunk/reactos/subsystems/win32/csrss/win32csr/guiconsole.c (original)
+++ trunk/reactos/subsystems/win32/csrss/win32csr/guiconsole.c Tue Nov 20 19:05:59 2007
@@ -506,7 +506,7 @@
   DWORD dwValue;
   DWORD dwType;
   WCHAR szValueName[MAX_PATH];
-  WCHAR szValue[MAX_PATH];
+  WCHAR szValue[LF_FACESIZE] = L"\0";
   DWORD Value;
if (RegQueryInfoKey(hKey, NULL, NULL, NULL, NULL, NULL, NULL, &dwNumSubKeys, NULL, NULL, NULL, NULL) != ERROR_SUCCESS)
@@ -530,7 +530,7 @@
                * retry in case of string value
                */
               dwValue = sizeof(szValue);
-              dwValueName = MAX_PATH;
+              dwValueName = LF_FACESIZE;
               if (RegEnumValueW(hKey, dwIndex, szValueName, &dwValueName, NULL, NULL, (BYTE*)szValue, &dwValue) != ERROR_SUCCESS)
                 break;
             }

    