Avoid buffer overflows in builtin dll loading (with the help of Dmitry

Timoshkov).

if1632/builtin.c

@@ -136,16 +136,19 @@ static HMODULE16 BUILTIN_DoLoadModule16( const BUILTIN16_DESCRIPTOR *descr )
  */
 HMODULE16 BUILTIN_LoadModule( LPCSTR name )
 {
-    char dllname[16], *p;
+    char dllname[20], *p;
     void *handle;
     int i;
 
     /* Fix the name in case we have a full path and extension */
 
     if ((p = strrchr( name, '\\' ))) name = p + 1;
-    lstrcpynA( dllname, name, sizeof(dllname) );
+    if ((p = strrchr( name, '/' ))) name = p + 1;
+
+    if (strlen(name) >= sizeof(dllname)-4) return (HMODULE16)2;
+
+    strcpy( dllname, name );
     p = strrchr( dllname, '.' );
-	 
     if (!p) strcat( dllname, ".dll" );
 
     for (i = 0; i < nb_dlls; i++)

relay32/builtin32.c

@@ -264,15 +264,19 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
 {
     HMODULE module;
     WINE_MODREF   *wm;
-    char           dllname[MAX_PATH], *p;
+    char dllname[20], *p;
+    LPCSTR name;
     void *handle;
     int i;
 
     /* Fix the name in case we have a full path and extension */
-    if ((p = strrchr( path, '\\' ))) p++;
-    else p = (char *)path; 
-    lstrcpynA( dllname, p, sizeof(dllname) );
+    name = path;
+    if ((p = strrchr( name, '\\' ))) name = p + 1;
+    if ((p = strrchr( name, '/' ))) name = p + 1;
 
+    if (strlen(name) >= sizeof(dllname)-4) goto error;
+
+    strcpy( dllname, name );
     p = strrchr( dllname, '.' );
     if (!p) strcat( dllname, ".dll" );
 
@@ -288,6 +292,7 @@ WINE_MODREF *BUILTIN32_LoadLibraryExA(LPCSTR path, DWORD flags)
         BUILTIN32_dlclose( handle );
     }
 
+ error:
     SetLastError( ERROR_FILE_NOT_FOUND );
     return NULL;