16 Oct
2005
16 Oct
'05
1:27 a.m.
fix two buffer overflows
Modified: trunk/reactos/subsys/csrss/init.c
_____
Modified: trunk/reactos/subsys/csrss/init.c
--- trunk/reactos/subsys/csrss/init.c 2005-10-16 01:26:52 UTC (rev
18489)
+++ trunk/reactos/subsys/csrss/init.c 2005-10-16 01:27:32 UTC (rev
18490)
@@ -401,16 +401,21 @@
AnsiEnv.Buffer = RtlAllocateHeap (RtlGetProcessHeap(), 0,
CharCount);
if (NULL != AnsiEnv.Buffer)
{
+
PCHAR WritePos = AnsiEnv.Buffer;
for (Index=0; NULL != envp[Index]; Index++)
{
- strcat (WritePos, envp[Index]);
+ strcpy (WritePos, envp[Index]);
WritePos += strlen (envp[Index]) + 1;
}
- AnsiEnv.Buffer [CharCount] = '\0';
+
+ /* FIXME: the last (double) nullterm should perhaps not be
included in Length
+ * but only in MaximumLength. -Gunnar */
+ AnsiEnv.Buffer [CharCount-1] = '\0';
AnsiEnv.Length = CharCount;
AnsiEnv.MaximumLength = CharCount;
+
RtlAnsiStringToUnicodeString (UnicodeEnv, & AnsiEnv,
TRUE);
RtlFreeHeap (RtlGetProcessHeap(), 0, AnsiEnv.Buffer);
}
7023
days inactive
7023
days old
0 comments
1 participants
participants (1)
-
gdalsnes@svn.reactos.com