https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b4b1c5b9aac030f96a0bb58f14e7de9bee17d3c5
commit b4b1c5b9aac030f96a0bb58f14e7de9bee17d3c5 Author: Hermès Bélusca-Maïto <[email protected]> AuthorDate: Thu Oct 12 15:34:06 2023 +0200 Commit: Hermès Bélusca-Maïto <[email protected]> CommitDate: Mon Nov 13 16:26:00 2023 +0100 [DEVMGR] Fix some bugs spotted by Thomas Faber in PR #5775 (#5790) - Fix TCHAR/WCHAR mis-usage, - Fix as a result, a buffer overflow (GlobalAlloc takes the size in bytes, but a number of characters was passed to it instead). - Remove usage of unsafe string function. Now the item text is directly retrieved within the allocated buffer. --- dll/win32/devmgr/properties/advprop.cpp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/dll/win32/devmgr/properties/advprop.cpp b/dll/win32/devmgr/properties/advprop.cpp index c53fe65a46c..1c776069465 100644 --- a/dll/win32/devmgr/properties/advprop.cpp +++ b/dll/win32/devmgr/properties/advprop.cpp @@ -413,7 +413,7 @@ DriverDetailsDlgProc(IN HWND hwndDlg, pnmv->iItem, pnmv->iSubItem, szDriverPath, - MAX_PATH); + _countof(szDriverPath)); UpdateDriverVersionInfoDetails(hwndDlg, szDriverPath); @@ -1944,16 +1944,11 @@ AdvProcDetailsDlgProc(IN HWND hwndDlg, if (nSelectedId < 0 || nSelectedItems <= 0) break; - TCHAR szItemName[MAX_PATH]; HGLOBAL hGlobal; LPWSTR pszBuffer; + SIZE_T cchSize = MAX_PATH + 1; - ListView_GetItemText(hwndListView, - nSelectedId, 0, - szItemName, - _countof(szItemName)); - - hGlobal = GlobalAlloc(GHND, MAX_PATH); + hGlobal = GlobalAlloc(GHND, cchSize * sizeof(WCHAR)); if (!hGlobal) break; pszBuffer = (LPWSTR)GlobalLock(hGlobal); @@ -1963,7 +1958,12 @@ AdvProcDetailsDlgProc(IN HWND hwndDlg, break; } - wsprintf(pszBuffer, L"%s", szItemName); + ListView_GetItemText(hwndListView, + nSelectedId, 0, + pszBuffer, + cchSize); + /* Ensure NULL-termination */ + pszBuffer[cchSize - 1] = UNICODE_NULL; GlobalUnlock(hGlobal);
