[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Re: wordpad: Avoid buffer overrun in registry_set_filelist.
From:       Thomas Faber <thomas.faber () reactos ! org>
Date:       2016-06-27 11:25:50
Message-ID: 789d91bb-5fb4-ef9b-0c71-eec304d4ae16 () reactos ! org
[Download RAW message or body]

On 2016-06-27 09:53, Huw Davies wrote:
> On Sun, Jun 26, 2016 at 11:42:31AM +0200, Thomas Faber wrote:
>> @@ -298,7 +298,7 @@ void registry_set_filelist(LPCWSTR newFile, HWND hMainWnd)
>>                  if(!lstrcmpiW(pFiles[i], newFile))
>>                  {
>>                      int j;
>> -                    for(j = 0; pFiles[j] && j < i; j++)
>> +                    for(j = 0; j < i && pFiles[j]; j++)
>>                      {
>>                          pFiles[i-j] = pFiles[i-j-1];
>>                      }
> 
> This looks odd to me.  I don't see how this could avoid an overflow;
> pFiles[i] is valid at this point and so pFiles[j] will be ok if j == i.
> 
> More confusingly though, is why pFiles[j] is in the test at all.

Oops, you're completely right, thanks for catching that.

I agree that pFiles[j] cannot be NULL here. I'll send a patch to remove
the check.

Thanks.
-Thomas



[prev in list] [next in list] [prev in thread] [next in thread]