[Wine-patches] [eter-2.1 1/2] mountmgr.sys: Fix heap corruption caused by incorrectly calculated offsets for the WCHAR* pointer. (eterbug #10853).

Dmitry Timoshkov dtimoshkov на etersoft.ru
Чт Ноя 5 12:07:47 MSK 2015


1. WCHAR *p1, *p2;
'p2 = p1 + 10;' equals to 'p2 = (char *)p1 + 10 * sizeof(*p1);'
2. MultiByteToWideChar() for passed in buffers takes number of characters,
not bytes.
---
 dlls/mountmgr.sys/device.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dlls/mountmgr.sys/device.c b/dlls/mountmgr.sys/device.c
index 368a71c..e265665 100644
--- a/dlls/mountmgr.sys/device.c
+++ b/dlls/mountmgr.sys/device.c
@@ -790,20 +790,20 @@ static void register_usbstor_device( struct dos_drive *drive, const char *vendor
                                 + strlen(serial) + 4) * sizeof(WCHAR) );
     if (!devnameW) return;
 
-    vendorW = devnameW + size;
-    size = (strlen(vendor) + 1) * sizeof(WCHAR);
+    vendorW = devnameW + size / sizeof(WCHAR);
+    size = strlen(vendor) + 1;
     MultiByteToWideChar( CP_ACP, 0, vendor, -1, vendorW, size );
 
     productW = vendorW + size;
-    size = (strlen(product) + 1) * sizeof(WCHAR);
+    size = strlen(product) + 1;
     MultiByteToWideChar( CP_ACP, 0, product, -1, productW, size );
 
     revisionW = productW + size;
-    size = (strlen(revision) + 1) * sizeof(WCHAR);
+    size = strlen(revision) + 1;
     MultiByteToWideChar( CP_ACP, 0, revision, -1, revisionW, size );
 
     serialW = revisionW + size;
-    size = (strlen(serial) + 1) * sizeof(WCHAR);
+    size = strlen(serial) + 1;
     MultiByteToWideChar( CP_ACP, 0, serial, -1, serialW, size );
 
     sprintfW( devnameW, disk_idW, usbstorW, vendorW, productW, revisionW, serialW );
-- 
2.6.2



Подробная информация о списке рассылки Wine-patches