pull up r19061 from trunk

 r19061@cathode-dark-space:  jaltman | 2007-01-14 03:04:46 -0500
 ticket: new
 subject: kfw wix installer - memory overwrite error
 tags: pullup
 component: windows

   	The custom handler allocates a buffer that is smaller
 	than is required to hold the input.  Allocate the correct
  	sized buffer.

ticket: 5353
version_fixed: 1.6.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19314 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/windows/installer/wix/custom/custom.cpp b/src/windows/installer/wix/custom/custom.cpp
index fdf4bbbd2527bb307016497455901dfb108e094a..d6c637845cfdf13a272bed8518d748462ae7bf49 100644 (file)
--- a/src/windows/installer/wix/custom/custom.cpp
+++ b/src/windows/installer/wix/custom/custom.cpp
@@ -704,10 +704,12 @@ DWORD InstNetProvider(MSIHANDLE hInstall, int bInst) {
     dwSize = 0;
     CHECK(rv = RegQueryValueEx( hkOrder, STR_VAL_ORDER, NULL, NULL, NULL, &dwSize ) );
 
-    strOrder = new TCHAR[ (dwSize + STR_SERVICE_LEN) * sizeof(TCHAR) ];
+    strOrder = new TCHAR[ (dwSize + STR_SERVICE_LEN + 4) * sizeof(TCHAR) ];
 
     CHECK(rv = RegQueryValueEx( hkOrder, STR_VAL_ORDER, NULL, NULL, (LPBYTE) strOrder, &dwSize));
 
+    strOrder[dwSize] = '\0';   /* reg strings are not always nul terminated */
+
     npi_CheckAndAddRemove( strOrder, STR_SERVICE , bInst);
 
     dwSize = (lstrlen( strOrder ) + 1) * sizeof(TCHAR);