From f997c770e30546d2ee8510e3b8857d0fa190ed7f Mon Sep 17 00:00:00 2001 From: Hartmut Birr Date: Sun, 4 Dec 2005 15:18:11 +0000 Subject: [PATCH] Fixed a buffer overflow in RefreshListView. svn path=/trunk/; revision=19872 --- reactos/subsys/system/regedit/listview.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/reactos/subsys/system/regedit/listview.c b/reactos/subsys/system/regedit/listview.c index 1b1482dc916..12c9ced830d 100644 --- a/reactos/subsys/system/regedit/listview.c +++ b/reactos/subsys/system/regedit/listview.c @@ -552,12 +552,10 @@ BOOL RefreshListView(HWND hwndLV, HKEY hKey, LPCTSTR keyPath) errCode = RegQueryInfoKey(hNewKey, NULL, NULL, NULL, NULL, &max_sub_key_len, NULL, &val_count, &max_val_name_len, &max_val_size, NULL, NULL); - #define BUF_HEAD_SPACE 2 /* FIXME: check why this is required with ROS ??? */ - if (errCode == ERROR_SUCCESS) { - TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0, ++max_val_name_len * sizeof(TCHAR) + BUF_HEAD_SPACE); + TCHAR* ValName = HeapAlloc(GetProcessHeap(), 0, ++max_val_name_len * sizeof(TCHAR)); DWORD dwValNameLen = max_val_name_len; - BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, ++max_val_size/* + BUF_HEAD_SPACE*/); + BYTE* ValBuf = HeapAlloc(GetProcessHeap(), 0, max_val_size + sizeof(TCHAR)); DWORD dwValSize = max_val_size; DWORD dwIndex = 0L; DWORD dwValType; @@ -566,7 +564,8 @@ BOOL RefreshListView(HWND hwndLV, HKEY hKey, LPCTSTR keyPath) /* } */ /* dwValSize = max_val_size; */ while (RegEnumValue(hNewKey, dwIndex, ValName, &dwValNameLen, NULL, &dwValType, ValBuf, &dwValSize) == ERROR_SUCCESS) { - ValBuf[dwValSize] = 0; + /* Add a terminating 0 character. Usually this is only necessary for strings. */ + ((TCHAR*)ValBuf)[dwValSize/sizeof(TCHAR)] = 0; AddEntryToList(hwndLV, ValName, dwValType, ValBuf, dwValSize, -1, TRUE); dwValNameLen = max_val_name_len; dwValSize = max_val_size;