From 3e872953661d962504dcec7b1c2b3eca3e5634cb Mon Sep 17 00:00:00 2001
From: Eric Kohl <eric.kohl@reactos.org>
Date: Wed, 7 Jun 2017 15:55:16 +0000
Subject: [PATCH] [INTL] - Fix a potential overflow and uninitialized variable
 in InitNegNumFmtCB(). - Get rid of the now useless string buffer szNewSample.
 Based on a patch by Victor Martinez Calvo. CORE-13384

svn path=/trunk/; revision=74942
---
 reactos/dll/cpl/intl/numbers.c | 39 +++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/reactos/dll/cpl/intl/numbers.c b/reactos/dll/cpl/intl/numbers.c
index dfc5c14483d..58b4562b539 100644
--- a/reactos/dll/cpl/intl/numbers.c
+++ b/reactos/dll/cpl/intl/numbers.c
@@ -267,8 +267,7 @@ InitNegSignCB(HWND hwndDlg, PGLOBALDATA pGlobalData)
 static VOID
 InitNegNumFmtCB(HWND hwndDlg, PGLOBALDATA pGlobalData)
 {
-    WCHAR szNewSample[MAX_SAMPLES_STR_SIZE];
-    PWSTR pszResultStr;
+    PWSTR pszString1, pszString2;
     INT nCBIndex;
 
     /* Clear all box content */
@@ -281,26 +280,26 @@ InitNegNumFmtCB(HWND hwndDlg, PGLOBALDATA pGlobalData)
     for (nCBIndex = 0; nCBIndex < MAX_NEG_NUMBERS_SAMPLES; nCBIndex++)
     {
         /* Replace standard separator to setted */
-        pszResultStr = ReplaceSubStr(lpNegNumFmtSamples[nCBIndex],
-                                     pGlobalData->szNumDecimalSep,
-                                     L",");
-        if (pszResultStr != NULL)
+        pszString1 = ReplaceSubStr(lpNegNumFmtSamples[nCBIndex],
+                                   pGlobalData->szNumDecimalSep,
+                                   L",");
+        if (pszString1 != NULL)
         {
-            wcscpy(szNewSample, pszResultStr);
-            HeapFree(GetProcessHeap(), 0, pszResultStr);
-        }
+            /* Replace standard negative sign to setted */
+            pszString2 = ReplaceSubStr(pszString1,
+                                       pGlobalData->szNumNegativeSign,
+                                       L"-");
+            if (pszString2 != NULL)
+            {
+                SendDlgItemMessageW(hwndDlg, IDC_NUMBERSNNUMFORMAT,
+                                    CB_ADDSTRING,
+                                    0,
+                                    (LPARAM)pszString2);
 
-        /* Replace standard negative sign to setted */
-        pszResultStr = ReplaceSubStr(szNewSample,
-                                     pGlobalData->szNumNegativeSign,
-                                     L"-");
-        if (pszResultStr != NULL)
-        {
-            SendDlgItemMessageW(hwndDlg, IDC_NUMBERSNNUMFORMAT,
-                                CB_ADDSTRING,
-                                0,
-                                (LPARAM)pszResultStr);
-            HeapFree(GetProcessHeap(), 0, pszResultStr);
+                HeapFree(GetProcessHeap(), 0, pszString2);
+            }
+
+            HeapFree(GetProcessHeap(), 0, pszString1);
         }
     }