compstui: Fix a possible out-of-bounds write (Coverity).

When len is 256, (ARRAY_SIZE(title) - len) is 0. When LoadStringW() is called with the last parameter being zero, a WCHAR string pointer is stored at 'title + 256', writing title out of bounds.

compstui: Fix a possible out-of-bounds write (Coverity).
6164432a · Zhiyi Zhang · Alexandre Julliard · 2b323dba · 6164432a
Commit 6164432a authored Dec 30, 2023 by Zhiyi Zhang Committed by Alexandre Julliard Jan 18, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

compstui_main.c dlls/compstui/compstui_main.c +8 -4

No files found.
--- a/dlls/compstui/compstui_main.c
+++ b/dlls/compstui/compstui_main.c
@@ -478,18 +478,22 @@ static LONG create_property_sheetW(struct propsheet *ps, PROPSHEETUI_INFO_HEADER
            (!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
    {
        len = wcslen(title);
-        if (len < ARRAY_SIZE(title))
+        if (len < ARRAY_SIZE(title) - 1)
+        {
            title[len++] = ' ';
-        LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
+            LoadStringW(compstui_hmod, IDS_CPSUI_DEFAULT, title + len, ARRAY_SIZE(title) - len);
+        }
    }

    if ((header->flags & PSUIHDRF_PROPTITLE) &&
            (!header->titleW || !(header->flags & PSUIHDRF_EXACT_PTITLE)))
    {
        len = wcslen(title);
-        if (len < ARRAY_SIZE(title))
+        if (len < ARRAY_SIZE(title) - 1)
+        {
            title[len++] = ' ';
-        LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
+            LoadStringW(compstui_hmod, IDS_CPSUI_PROPERTIES, title + len, ARRAY_SIZE(title) - len);
+        }
    }

    psh.nPages = ps->pages_cnt;