msi: Make sure we don't access pcchValueBuf when szBuffer is NULL, as…

msi: Make sure we don't access pcchValueBuf when szBuffer is NULL, as pcchValueBuf is not required to be initialized in this case.

msi: Make sure we don't access pcchValueBuf when szBuffer is NULL, as…
f4829063 · James Hawkins · Alexandre Julliard · f823f218 · f4829063 · f4829063
Commit f4829063 authored Dec 13, 2009 by James Hawkins Committed by Alexandre Julliard Dec 14, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 15 deletions

msi.c dlls/msi/msi.c +17 -13

msi.c dlls/msi/tests/msi.c +2 -2

No files found.
--- a/dlls/msi/msi.c
+++ b/dlls/msi/msi.c
@@ -901,7 +901,7 @@ static UINT MSI_GetProductInfo(LPCWSTR szProduct, LPCWSTR szAttribute,
    WCHAR packagecode[GUID_SIZE];
    BOOL badconfig = FALSE;
    LONG res;
-    DWORD save, type = REG_NONE;
+    DWORD type = REG_NONE;

    static WCHAR empty[] = {0};
    static const WCHAR sourcelist[] = {
@@ -1036,22 +1036,26 @@ static UINT MSI_GetProductInfo(LPCWSTR szProduct, LPCWSTR szAttribute,

    if (pcchValueBuf)
    {
-        save = *pcchValueBuf;
-
-        if (strlenW(val) < *pcchValueBuf)
-            r = msi_strcpy_to_awstring(val, szValue, pcchValueBuf);
-        else if (szValue->str.a || szValue->str.w)
-            r = ERROR_MORE_DATA;
+        /* If szBuffer (szValue->str) is NULL, there's no need to copy the value
+         * out.  Also, *pcchValueBuf may be uninitialized in this case, so we
+         * can't rely on its value.
+         */
+        if (szValue->str.a || szValue->str.w)
+        {
+            DWORD size = *pcchValueBuf;
+            if (strlenW(val) < size)
+                r = msi_strcpy_to_awstring(val, szValue, &size);
+            else
+            {
+                r = ERROR_MORE_DATA;
+            }
+        }

        if (!badconfig)
            *pcchValueBuf = lstrlenW(val);
-        else if (r == ERROR_SUCCESS)
-        {
-            *pcchValueBuf = save;
-            r = ERROR_BAD_CONFIGURATION;
-        }
    }
-    else if (badconfig)
+
+    if (badconfig)
        r = ERROR_BAD_CONFIGURATION;

    if (val != empty)

--- a/dlls/msi/tests/msi.c
+++ b/dlls/msi/tests/msi.c
@@ -2779,7 +2779,7 @@ static void test_MsiGetProductInfo(void)
    ok(r == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %d\n", r);
    ok(sz == 4, "Expected 4, got %d\n", sz);

-    /* lpValueBuf is NULL, pcchValueBuf is too small */
+    /* lpValueBuf is non-NULL, pcchValueBuf is too small */
    sz = 2;
    lstrcpyA(buf, "apple");
    r = MsiGetProductInfoA(prodcode, INSTALLPROPERTY_HELPLINK, buf, &sz);
@@ -2787,7 +2787,7 @@ static void test_MsiGetProductInfo(void)
    ok(r == ERROR_MORE_DATA, "Expected ERROR_MORE_DATA, got %d\n", r);
    ok(sz == 4, "Expected 4, got %d\n", sz);

-    /* lpValueBuf is NULL, pcchValueBuf is exactly 4 */
+    /* lpValueBuf is non-NULL, pcchValueBuf is exactly 4 */
    sz = 4;
    lstrcpyA(buf, "apple");
    r = MsiGetProductInfoA(prodcode, INSTALLPROPERTY_HELPLINK, buf, &sz);