[ros-diffs] [weiden] 20088: fixed uninitialized variable warnings and possible buffer overflows when reading strings from the registry that aren't NULL-terminated

weiden at svn.reactos.com weiden at svn.reactos.com
Sun Dec 11 23:13:50 CET 2005 

fixed uninitialized variable warnings and possible buffer overflows when
reading strings from the registry that aren't NULL-terminated
Modified: trunk/reactos/lib/setupapi/devinst.c
  _____  

Modified: trunk/reactos/lib/setupapi/devinst.c
--- trunk/reactos/lib/setupapi/devinst.c	2005-12-11 21:29:07 UTC
(rev 20087)
+++ trunk/reactos/lib/setupapi/devinst.c	2005-12-11 22:13:46 UTC
(rev 20088)
@@ -1872,13 +1872,14 @@

         SetLastError(ERROR_NOT_ENOUGH_MEMORY);
         goto cleanup;
     }
-    Buffer[dwLength / sizeof(WCHAR)] = 0;
     rc = RegQueryValueExW(hClassKey, L"Icon", NULL, NULL,
(LPBYTE)Buffer, &dwLength);
     if (rc != ERROR_SUCCESS)
     {
         SetLastError(rc);
         goto cleanup;
     }
+    /* make sure the returned buffer is NULL-terminated */
+    Buffer[dwLength / sizeof(WCHAR)] = 0;
 
     /* Transform "Icon" value to a INT */
     *ImageIndex = atoiW(Buffer);
@@ -2065,7 +2066,7 @@
             rc = RegQueryValueExW(hKey, L"Installer32", NULL,
&dwRegType, NULL, &dwLength);
             if (rc == ERROR_SUCCESS && dwRegType == REG_SZ)
             {
-                Buffer = MyMalloc(dwLength);
+                Buffer = MyMalloc(dwLength + sizeof(WCHAR));
                 if (Buffer == NULL)
                 {
                     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
@@ -2077,12 +2078,14 @@
                     SetLastError(rc);
                     goto cleanup;
                 }
+                /* make sure the returned buffer is NULL-terminated */
+                Buffer[dwLength / sizeof(WCHAR)] = 0;
             }
             else if
                 (ERROR_SUCCESS == (rc = RegQueryValueExW(hKey,
L"EnumPropPages32", NULL, &dwRegType, NULL, &dwLength))
                 && dwRegType == REG_SZ)
             {
-                Buffer = MyMalloc(dwLength);
+                Buffer = MyMalloc(dwLength + sizeof(WCHAR));
                 if (Buffer == NULL)
                 {
                     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
@@ -2094,6 +2097,8 @@
                     SetLastError(rc);
                     goto cleanup;
                 }
+                /* make sure the returned buffer is NULL-terminated */
+                Buffer[dwLength / sizeof(WCHAR)] = 0;
             }
             else
             {
@@ -2108,6 +2113,7 @@
                 goto cleanup;
             }
             *Comma = '\0';
+            DllName = Buffer;
         }
         else
         {
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.reactos.org/pipermail/ros-diffs/attachments/20051211/d64484d3/attachment.html

More information about the Ros-diffs mailing list