Skip to content

W
wine-cw
Commit 1714963a authored by Daniel Lehman's avatar Daniel Lehman Committed by Alexandre Julliard
Browse files
Options

kernelbase: Pass va_list copy to internal RtlFormatMessage.

va_list passed to RtlFormatMessage is modified even on error in this case, if the buffer is not large enough, STATUS_BUFFER_OVERFLOW is returned and FormatMessage tries again, but the va_list pointer is now moved to a later argument, so the next call reads off the end, crashing. Signed-off-by: 's avatarDaniel Lehman <dlehman25@gmail.com> Signed-off-by: 's avatarAlexandre Julliard <julliard@winehq.org>
parent 8986f6fa
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 3 deletions
dlls/kernelbase/locale.c
View file @ 1714963a
......@@ -5457,6 +5457,7 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
if (flags & FORMAT_MESSAGE_ALLOCATE_BUFFER)
{
WCHAR *result;
va_list args_copy;
ULONG alloc = max( size * sizeof(WCHAR), 65536 );
for (;;)
......@@ -5466,9 +5467,17 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
status = STATUS_NO_MEMORY;
break;
}
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, !!(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY), args,
result, alloc, &retsize );
if (args && !(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY))
{
va_copy( args_copy, *args );
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, FALSE, &args_copy, result, alloc, &retsize );
va_end( args_copy );
}
else
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, TRUE, args, result, alloc, &retsize );
if (!status)
{
if (retsize <= sizeof(WCHAR)) HeapFree( GetProcessHeap(), 0, result );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment