fix two buffer overflows Modified: trunk/reactos/subsys/csrss/init.c _____

Modified: trunk/reactos/subsys/csrss/init.c --- trunk/reactos/subsys/csrss/init.c 2005-10-16 01:26:52 UTC (rev 18489) +++ trunk/reactos/subsys/csrss/init.c 2005-10-16 01:27:32 UTC (rev 18490) @@ -401,16 +401,21 @@

AnsiEnv.Buffer = RtlAllocateHeap (RtlGetProcessHeap(), 0, CharCount); if (NULL != AnsiEnv.Buffer) { + PCHAR WritePos = AnsiEnv.Buffer; for (Index=0; NULL != envp[Index]; Index++) { - strcat (WritePos, envp[Index]); + strcpy (WritePos, envp[Index]); WritePos += strlen (envp[Index]) + 1; } - AnsiEnv.Buffer [CharCount] = '\0'; + + /* FIXME: the last (double) nullterm should perhaps not be included in Length + * but only in MaximumLength. -Gunnar */ + AnsiEnv.Buffer [CharCount-1] = '\0'; AnsiEnv.Length = CharCount; AnsiEnv.MaximumLength = CharCount; + RtlAnsiStringToUnicodeString (UnicodeEnv, & AnsiEnv, TRUE); RtlFreeHeap (RtlGetProcessHeap(), 0, AnsiEnv.Buffer); }