[Wine-patches] [eterhack 1/2] mountmgr.sys: Fix heap corruption caused by incorrectly calculated offsets for the WCHAR* pointer. (eterbug #10853).
Dmitry Timoshkov
dtimoshkov на etersoft.ru
Пн Ноя 9 08:12:15 MSK 2015
1. WCHAR *p1, *p2;
'p2 = p1 + 10;' equals to 'p2 = (char *)p1 + 10 * sizeof(*p1);'
2. MultiByteToWideChar() for passed in buffers takes number of characters,
not bytes.
---
dlls/mountmgr.sys/device.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/dlls/mountmgr.sys/device.c b/dlls/mountmgr.sys/device.c
index 271e12a..227b49f 100644
--- a/dlls/mountmgr.sys/device.c
+++ b/dlls/mountmgr.sys/device.c
@@ -792,20 +792,20 @@ static void register_usbstor_device( struct dos_drive *drive, const char *vendor
+ strlen(serial) + 4) * sizeof(WCHAR) );
if (!devnameW) return;
- vendorW = devnameW + size;
- size = (strlen(vendor) + 1) * sizeof(WCHAR);
+ vendorW = devnameW + size / sizeof(WCHAR);
+ size = strlen(vendor) + 1;
MultiByteToWideChar( CP_ACP, 0, vendor, -1, vendorW, size );
productW = vendorW + size;
- size = (strlen(product) + 1) * sizeof(WCHAR);
+ size = strlen(product) + 1;
MultiByteToWideChar( CP_ACP, 0, product, -1, productW, size );
revisionW = productW + size;
- size = (strlen(revision) + 1) * sizeof(WCHAR);
+ size = strlen(revision) + 1;
MultiByteToWideChar( CP_ACP, 0, revision, -1, revisionW, size );
serialW = revisionW + size;
- size = (strlen(serial) + 1) * sizeof(WCHAR);
+ size = strlen(serial) + 1;
MultiByteToWideChar( CP_ACP, 0, serial, -1, serialW, size );
sprintfW( devnameW, disk_idW, usbstorW, vendorW, productW, revisionW, serialW );
--
2.6.2
Подробная информация о списке рассылки Wine-patches