Menu

#271 WinWStrDupFromChar writes beyond allocated memory of destination string

Unstable
closed-accepted
nobody
None
5
2016-08-22
2016-08-18
f0rt
No

In the function WinWStrDupFromChar memory is allocated for converting a character (byte) string into a wide character string. However the allocated memory to hold the wide character string does not take the size of a wide character into account. As a result the allocated memory is too little and the function MultiByteToWideChar writes beyond the allocated memory.

I propose the following fix.

Index: Source/winchar.cpp
===================================================================
--- Source/winchar.cpp  (revision 6780)
+++ Source/winchar.cpp  (working copy)
@@ -46,7 +46,7 @@
 WINWCHAR* WinWStrDupFromChar(const char *s, unsigned int cp)
 {
   int cch = MultiByteToWideChar(cp, 0, s, -1, 0, 0);
-  wchar_t *p = (wchar_t*) malloc(cch);
+  wchar_t *p = (wchar_t*) malloc(cch * sizeof(wchar_t));
   if (p)
   {
     MultiByteToWideChar(cp, 0, s, -1, p, cch);

Discussion

  • Anders

    Anders - 2016-08-20

    Good catch although I don't think the function is actually used anywhere? I'll try to fix this ASAP.

     

    Last edit: Anders 2016-08-20

  • Anders

    Anders - 2016-08-21
    • status: open --> closed-accepted
     

  • f0rt

    f0rt - 2016-08-22

    The WinWStrDupFromChar function is used on POSIX systems.
    Thanks for committing the patch.

     

Log in to post a comment.