Hello Alexandre,
2008/5/8 Alexandre Julliard <[EMAIL PROTECTED]>:
> "Maarten Lankhorst" <[EMAIL PROTECTED]> writes:
>
> > @@ -1970,7 +1970,7 @@ NTSTATUS WINAPI RtlIntegerToUnicodeString(
> > } while (value != 0L);
> >
> > str->Length = (&buffer[32] - pos) * sizeof(WCHAR);
> > - if (str->Length >= str->MaximumLength) {
> > + if (str->Length + sizeof(WCHAR) >= str->MaximumLength) {
> > return STATUS_BUFFER_OVERFLOW;
> > } else {
> > memcpy(str->Buffer, pos, str->Length + sizeof(WCHAR));
>
> There's no overflow here. The Windows implementation of
> RtlIntegerToUnicodeString seems badly confused but I don't think
> we need to replicate those bugs.
It copies str->Length + sizeof(WCHAR) to the destination buffer
according to james' testcases. So it definitely looks like a bug to me
if it would copy data beyond MaximumLength, since only up to
MaximumLength is guaranteed to be allocated. Of course you're right
that my fix is likely wrong, the >= max should probablly be changed to
> max, otherwise it would return STATUS_BUFFER_OVERFLOW wrongly.
Cheers,
Maarten.
