[ros-diffs] [jmorlan] 42623: Fix a buffer overflow in ConvertULargeInteger
jmorlan at svn.reactos.org
jmorlan at svn.reactos.org
Tue Aug 11 18:21:47 CEST 2009
Author: jmorlan
Date: Tue Aug 11 18:21:46 2009
New Revision: 42623
URL: http://svn.reactos.org/svn/reactos?rev=42623&view=rev
Log:
Fix a buffer overflow in ConvertULargeInteger
Modified:
trunk/reactos/base/shell/cmd/cmd.c
Modified: trunk/reactos/base/shell/cmd/cmd.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/shell/cmd/cmd.c?rev=42623&r1=42622&r2=42623&view=diff
==============================================================================
--- trunk/reactos/base/shell/cmd/cmd.c [iso-8859-1] (original)
+++ trunk/reactos/base/shell/cmd/cmd.c [iso-8859-1] Tue Aug 11 18:21:46 2009
@@ -182,7 +182,7 @@
INT
ConvertULargeInteger(ULONGLONG num, LPTSTR des, INT len, BOOL bPutSeperator)
{
- TCHAR temp[32];
+ TCHAR temp[39]; /* maximum length with nNumberGroups == 1 */
UINT n, iTarget;
if (len <= 1)
@@ -198,15 +198,15 @@
if (iTarget == n && bPutSeperator)
{
iTarget += nNumberGroups + 1;
- temp[31 - n++] = cThousandSeparator;
- }
- temp[31 - n++] = (TCHAR)(num % 10) + _T('0');
+ temp[38 - n++] = cThousandSeparator;
+ }
+ temp[38 - n++] = (TCHAR)(num % 10) + _T('0');
num /= 10;
} while (num > 0);
if (n > len-1)
n = len-1;
- memcpy(des, temp + 32 - n, n * sizeof(TCHAR));
+ memcpy(des, temp + 39 - n, n * sizeof(TCHAR));
des[n] = _T('\0');
return n;
More information about the Ros-diffs
mailing list