From 47e49a3268238f60ca865b13a01a0d34a7095ed9 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 30 Mar 2007 00:33:19 +0000 Subject: [PATCH] pull up r19061 from trunk r19061@cathode-dark-space: jaltman | 2007-01-14 03:04:46 -0500 ticket: new subject: kfw wix installer - memory overwrite error tags: pullup component: windows The custom handler allocates a buffer that is smaller than is required to hold the input. Allocate the correct sized buffer. ticket: 5353 version_fixed: 1.6.1 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19314 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/installer/wix/custom/custom.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/windows/installer/wix/custom/custom.cpp b/src/windows/installer/wix/custom/custom.cpp index fdf4bbbd2..d6c637845 100644 --- a/src/windows/installer/wix/custom/custom.cpp +++ b/src/windows/installer/wix/custom/custom.cpp @@ -704,10 +704,12 @@ DWORD InstNetProvider(MSIHANDLE hInstall, int bInst) { dwSize = 0; CHECK(rv = RegQueryValueEx( hkOrder, STR_VAL_ORDER, NULL, NULL, NULL, &dwSize ) ); - strOrder = new TCHAR[ (dwSize + STR_SERVICE_LEN) * sizeof(TCHAR) ]; + strOrder = new TCHAR[ (dwSize + STR_SERVICE_LEN + 4) * sizeof(TCHAR) ]; CHECK(rv = RegQueryValueEx( hkOrder, STR_VAL_ORDER, NULL, NULL, (LPBYTE) strOrder, &dwSize)); + strOrder[dwSize] = '\0'; /* reg strings are not always nul terminated */ + npi_CheckAndAddRemove( strOrder, STR_SERVICE , bInst); dwSize = (lstrlen( strOrder ) + 1) * sizeof(TCHAR); -- 2.26.2