system/wine
system/wine
1
0
Fork 0
mirror of git://source.winehq.org/git/wine.git synced 2024-07-23 22:46:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

kernelbase: Pass va_list copy to internal RtlFormatMessage.

Browse source 
va_list passed to RtlFormatMessage is modified even on error in this
case, if the buffer is not large enough, STATUS_BUFFER_OVERFLOW is
returned and FormatMessage tries again, but the va_list pointer is now
moved to a later argument, so the next call reads off the end,
crashing.

Signed-off-by: Daniel Lehman <dlehman25@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Daniel Lehman 2022-06-04 08:03:02 -07:00 committed by Alexandre Julliard
parent 8986f6fadd
commit 1714963a5f
1 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
dlls/kernelbase/locale.c
View file

@ -5457,6 +5457,7 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
if (flags & FORMAT_MESSAGE_ALLOCATE_BUFFER)
{
WCHAR *result;
va_list args_copy;
ULONG alloc = max( size * sizeof(WCHAR), 65536 );
for (;;)
@ -5466,9 +5467,17 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
status = STATUS_NO_MEMORY;
break;
}
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, !!(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY), args,
result, alloc, &retsize );
if (args && !(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY))
{
va_copy( args_copy, *args );
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, FALSE, &args_copy, result, alloc, &retsize );
va_end( args_copy );
}
else
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, TRUE, args, result, alloc, &retsize );
if (!status)
{
if (retsize <= sizeof(WCHAR)) HeapFree( GetProcessHeap(), 0, result );