Commit 94d6e616 authored by Alex Henrie's avatar Alex Henrie Committed by Alexandre Julliard

server: Fix buffer overrun in map_view handler.

Because of padding at the end of the struct, sizeof(*view) is greater than offsetof(struct memory_view, name[0]). Change the allocation to overallocate slightly instead of underallocating slightly.
parent 4aac4e7c
......@@ -1212,7 +1212,7 @@ DECL_HANDLER(map_view)
if (!req->mapping) /* image mapping for a .so dll */
{
if (get_req_data_size() > sizeof(view->image)) namelen = get_req_data_size() - sizeof(view->image);
if (!(view = mem_alloc( offsetof( struct memory_view, name[namelen] )))) return;
if (!(view = mem_alloc( sizeof(struct memory_view) + namelen * sizeof(WCHAR) ))) return;
memset( view, 0, sizeof(*view) );
view->base = req->base;
view->size = req->size;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment