Commit 1714963a authored by Daniel Lehman's avatar Daniel Lehman Committed by Alexandre Julliard

kernelbase: Pass va_list copy to internal RtlFormatMessage.

va_list passed to RtlFormatMessage is modified even on error in this case, if the buffer is not large enough, STATUS_BUFFER_OVERFLOW is returned and FormatMessage tries again, but the va_list pointer is now moved to a later argument, so the next call reads off the end, crashing. Signed-off-by: 's avatarDaniel Lehman <dlehman25@gmail.com> Signed-off-by: 's avatarAlexandre Julliard <julliard@winehq.org>
parent 8986f6fa
...@@ -5457,6 +5457,7 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source, ...@@ -5457,6 +5457,7 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
if (flags & FORMAT_MESSAGE_ALLOCATE_BUFFER) if (flags & FORMAT_MESSAGE_ALLOCATE_BUFFER)
{ {
WCHAR *result; WCHAR *result;
va_list args_copy;
ULONG alloc = max( size * sizeof(WCHAR), 65536 ); ULONG alloc = max( size * sizeof(WCHAR), 65536 );
for (;;) for (;;)
...@@ -5466,9 +5467,17 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source, ...@@ -5466,9 +5467,17 @@ DWORD WINAPI DECLSPEC_HOTPATCH FormatMessageW( DWORD flags, const void *source,
status = STATUS_NO_MEMORY; status = STATUS_NO_MEMORY;
break; break;
} }
if (args && !(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY))
{
va_copy( args_copy, *args );
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS), status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, !!(flags & FORMAT_MESSAGE_ARGUMENT_ARRAY), args, FALSE, FALSE, &args_copy, result, alloc, &retsize );
result, alloc, &retsize ); va_end( args_copy );
}
else
status = RtlFormatMessage( src, width, !!(flags & FORMAT_MESSAGE_IGNORE_INSERTS),
FALSE, TRUE, args, result, alloc, &retsize );
if (!status) if (!status)
{ {
if (retsize <= sizeof(WCHAR)) HeapFree( GetProcessHeap(), 0, result ); if (retsize <= sizeof(WCHAR)) HeapFree( GetProcessHeap(), 0, result );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment