From: Michał Janiszewski janisozaur@gmail.com
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/ntdll/rtlbitmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c index 318f6fcbd4..c3e9385ec0 100644 --- a/dlls/ntdll/rtlbitmap.c +++ b/dlls/ntdll/rtlbitmap.c @@ -157,7 +157,8 @@ VOID WINAPI RtlSetBits(PRTL_BITMAP lpBits, ULONG ulStart, ULONG ulCount) USHORT initialWord = NTDLL_maskBits[ulCount] << (ulStart & 7);
*lpOut++ |= (initialWord & 0xff); - *lpOut |= (initialWord >> 8); + if (lpOut < ((BYTE *)lpBits->Buffer) + (lpBits->SizeOfBitMap / 8)) + *lpOut |= (initialWord >> 8); return; } } @@ -218,7 +219,8 @@ VOID WINAPI RtlClearBits(PRTL_BITMAP lpBits, ULONG ulStart, ULONG ulCount) USHORT initialWord = ~(NTDLL_maskBits[ulCount] << (ulStart & 7));
*lpOut++ &= (initialWord & 0xff); - *lpOut &= (initialWord >> 8); + if (lpOut < ((BYTE *)lpBits->Buffer) + (lpBits->SizeOfBitMap / 8)) + *lpOut &= (initialWord >> 8); return; } }
From: Michał Janiszewski janisozaur@gmail.com
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 1 + 1 file changed, 1 insertion(+)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index cbbcae42a1..734fe8bb98 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -667,6 +667,7 @@ _FUNCTION_ { else { _UNLOCK_FILE_(file); *str = 0; + HeapFree(GetProcessHeap(), 0, Mask); return rd; } }
Signed-off-by: Piotr Caban piotr@codeweavers.com
From: Michał Janiszewski janisozaur@gmail.com
Limit damage done by a case
char buffer[1]; sscanf_s("xx", "%2c", buffer, 1);
where it would try writing 'x' to buffer[1].
It is still not entirely correct, as according to https://en.cppreference.com/w/c/io/fwscanf, "The size of the destination array must be at least one greater than the specified field width" but the final byte is reserved for NULL terminator.
Signed-off-by: Michał Janiszewski janisozaur@gmail.com --- dlls/msvcrt/scanf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 734fe8bb98..5393e36f23 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -549,7 +549,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _CHAR2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0; @@ -575,7 +575,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _WIDE2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0;
-
janisozaur@gmail.com -
Piotr Caban