From fac2e9a28297a0186254408bf4fd2a343e822103 Mon Sep 17 00:00:00 2001
From: Piotr Caban <piotr@codeweavers.com>
Date: Thu, 9 Nov 2017 16:07:48 +0100
Subject: [PATCH] fusion: Respect buffer size in IAssemblyNameImpl_GetProperty.

Signed-off-by: Piotr Caban <piotr@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/fusion/asmname.c       | 41 +++++++++++++++++++++++++++++--------
 dlls/fusion/tests/asmname.c | 16 ++++++++++++++-
 2 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/dlls/fusion/asmname.c b/dlls/fusion/asmname.c
index 1bfe9c13a36..e3f1ee49afd 100644
--- a/dlls/fusion/asmname.c
+++ b/dlls/fusion/asmname.c
@@ -31,6 +31,7 @@
 #include "guiddef.h"
 #include "fusion.h"
 #include "corerror.h"
+#include "strsafe.h"
 
 #include "wine/debug.h"
 #include "wine/unicode.h"
@@ -138,11 +139,11 @@ static HRESULT WINAPI IAssemblyNameImpl_GetProperty(IAssemblyName *iface,
                                                     LPDWORD pcbProperty)
 {
     IAssemblyNameImpl *name = impl_from_IAssemblyName(iface);
+    DWORD size;
 
     TRACE("(%p, %d, %p, %p)\n", iface, PropertyId, pvProperty, pcbProperty);
 
-    *((LPWSTR)pvProperty) = '\0';
-
+    size = *pcbProperty;
     switch (PropertyId)
     {
         case ASM_NAME_NULL_PUBLIC_KEY:
@@ -158,45 +159,65 @@ static HRESULT WINAPI IAssemblyNameImpl_GetProperty(IAssemblyName *iface,
             *pcbProperty = 0;
             if (name->name)
             {
-                lstrcpyW(pvProperty, name->name);
                 *pcbProperty = (lstrlenW(name->name) + 1) * 2;
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                lstrcpyW(pvProperty, name->name);
             }
             break;
 
         case ASM_NAME_MAJOR_VERSION:
             *pcbProperty = 0;
-            *((WORD *)pvProperty) = name->version[0];
             if (name->versize >= 1)
+            {
                 *pcbProperty = sizeof(WORD);
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                *((WORD *)pvProperty) = name->version[0];
+            }
             break;
 
         case ASM_NAME_MINOR_VERSION:
             *pcbProperty = 0;
-            *((WORD *)pvProperty) = name->version[1];
             if (name->versize >= 2)
+            {
                 *pcbProperty = sizeof(WORD);
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                *((WORD *)pvProperty) = name->version[1];
+            }
             break;
 
         case ASM_NAME_BUILD_NUMBER:
             *pcbProperty = 0;
-            *((WORD *)pvProperty) = name->version[2];
             if (name->versize >= 3)
+            {
                 *pcbProperty = sizeof(WORD);
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                *((WORD *)pvProperty) = name->version[2];
+            }
             break;
 
         case ASM_NAME_REVISION_NUMBER:
             *pcbProperty = 0;
-            *((WORD *)pvProperty) = name->version[3];
             if (name->versize >= 4)
+            {
                 *pcbProperty = sizeof(WORD);
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                *((WORD *)pvProperty) = name->version[3];
+            }
             break;
 
         case ASM_NAME_CULTURE:
             *pcbProperty = 0;
             if (name->culture)
             {
-                lstrcpyW(pvProperty, name->culture);
                 *pcbProperty = (lstrlenW(name->culture) + 1) * 2;
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                lstrcpyW(pvProperty, name->culture);
             }
             break;
 
@@ -204,8 +225,10 @@ static HRESULT WINAPI IAssemblyNameImpl_GetProperty(IAssemblyName *iface,
             *pcbProperty = 0;
             if (name->haspubkey)
             {
-                memcpy(pvProperty, name->pubkey, sizeof(DWORD) * 2);
                 *pcbProperty = sizeof(DWORD) * 2;
+                if (size < *pcbProperty)
+                    return STRSAFE_E_INSUFFICIENT_BUFFER;
+                memcpy(pvProperty, name->pubkey, sizeof(DWORD) * 2);
             }
             break;
 
diff --git a/dlls/fusion/tests/asmname.c b/dlls/fusion/tests/asmname.c
index b93f289f4c5..556a143b5ae 100644
--- a/dlls/fusion/tests/asmname.c
+++ b/dlls/fusion/tests/asmname.c
@@ -24,6 +24,7 @@
 #include <mscoree.h>
 #include <fusion.h>
 #include <corerror.h>
+#include <strsafe.h>
 
 #include "wine/test.h"
 
@@ -362,7 +363,11 @@ static void test_assembly_name_props_line(IAssemblyName *name,
         if (hr != E_INVALIDARG)
         {
             ok(size == vals[i].size, "%d: prop %d: Expected %d, got %d\n", line, i, vals[i].size, size);
-            if (size && size != MAX_PATH)
+            if (!size)
+            {
+                ok(str[0] == 0xcccc, "%d: prop %d: str[0] = %x\n", line, i, str[0]);
+            }
+            else if (size != MAX_PATH)
             {
                 if (i != ASM_NAME_NAME && i != ASM_NAME_CULTURE)
                     ok( !memcmp( vals[i].val, str, size ), "%d: prop %d: wrong value\n", line, i );
@@ -370,6 +375,15 @@ static void test_assembly_name_props_line(IAssemblyName *name,
                     ok( !lstrcmpW( expect, str ), "%d: prop %d: Expected %s, got %s\n",
                         line, i, wine_dbgstr_w(expect), wine_dbgstr_w(str) );
             }
+
+            if (size != 0 && size != MAX_PATH)
+            {
+                size--;
+                hr = IAssemblyName_GetProperty(name, i, str, &size);
+                ok(hr == STRSAFE_E_INSUFFICIENT_BUFFER,
+                        "%d: prop %d: Expected STRSAFE_E_INSUFFICIENT_BUFFER, got %08x\n", line, i, hr);
+                ok(size == vals[i].size, "%d: prop %d: Expected %d, got %d\n", line, i, vals[i].size, size);
+            }
         }
     }
 }