[ros-diffs] [hbirr] 19872: Fixed a buffer overflow in RefreshListView.

Sun Dec 4 16:18:31 CET 2005

Fixed a buffer overflow in RefreshListView.
Modified: trunk/reactos/subsys/system/regedit/listview.c
  _____  

Modified: trunk/reactos/subsys/system/regedit/listview.c

--- trunk/reactos/subsys/system/regedit/listview.c	2005-12-04
15:09:07 UTC (rev 19871)
+++ trunk/reactos/subsys/system/regedit/listview.c	2005-12-04
15:18:11 UTC (rev 19872)
@@ -552,12 +552,10 @@

     errCode = RegQueryInfoKey(hNewKey, NULL, NULL, NULL, NULL,
&max_sub_key_len, NULL,
                               &val_count, &max_val_name_len,
&max_val_size, NULL, NULL);
 
-    #define BUF_HEAD_SPACE 2 /* FIXME: check why this is required with
ROS ??? */
-
     if (errCode == ERROR_SUCCESS) {
-        TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0,
++max_val_name_len * sizeof(TCHAR) + BUF_HEAD_SPACE);
+        TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0,
++max_val_name_len * sizeof(TCHAR));
         DWORD dwValNameLen = max_val_name_len;
-        BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, ++max_val_size/*
+ BUF_HEAD_SPACE*/);
+        BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, max_val_size +
sizeof(TCHAR));
         DWORD dwValSize = max_val_size;
         DWORD dwIndex = 0L;
         DWORD dwValType;
@@ -566,7 +564,8 @@
         /*                } */
         /*                dwValSize = max_val_size; */
         while (RegEnumValue(hNewKey, dwIndex, ValName, &dwValNameLen,
NULL, &dwValType, ValBuf, &dwValSize) == ERROR_SUCCESS) {
-            ValBuf[dwValSize] = 0;
+            /* Add a terminating 0 character. Usually this is only
necessary for strings. */
+            ((TCHAR*)ValBuf)[dwValSize/sizeof(TCHAR)] = 0;
             AddEntryToList(hwndLV, ValName, dwValType, ValBuf,
dwValSize, -1, TRUE);
             dwValNameLen = max_val_name_len;
             dwValSize = max_val_size;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.reactos.org/pipermail/ros-diffs/attachments/20051204/75ba73ad/attachment.html
