From 245f552d39e69e560d1c286ce2f54b970b51e5db Mon Sep 17 00:00:00 2001
From: "Brian R. Bondy" <netzen@gmail.com>
Date: Thu, 29 Sep 2011 09:06:27 -0400
Subject: [PATCH] Bug 688882 - Investigate stack buffer overflow in
 nsLocalFile::EnsureShortPath. r=bsmedberg

---
 xpcom/io/nsLocalFileWin.cpp | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/xpcom/io/nsLocalFileWin.cpp b/xpcom/io/nsLocalFileWin.cpp
index 1a1765acedab..403562e0b6dc 100644
--- a/xpcom/io/nsLocalFileWin.cpp
+++ b/xpcom/io/nsLocalFileWin.cpp
@@ -3105,12 +3105,14 @@ nsLocalFile::EnsureShortPath()
     if (!mShortWorkingPath.IsEmpty())
         return;
 
-    WCHAR thisshort[MAX_PATH];
-    DWORD thisr = ::GetShortPathNameW(mWorkingPath.get(), thisshort,
-                                      sizeof(thisshort));
-    // If an error occurred (thisr == 0) thisshort is uninitialized memory!
-    if (thisr != 0 && thisr < sizeof(thisshort))
-        mShortWorkingPath.Assign(thisshort);
+    WCHAR shortPath[MAX_PATH + 1];
+    DWORD lengthNeeded = ::GetShortPathNameW(mWorkingPath.get(), shortPath,
+                                             NS_ARRAY_LENGTH(shortPath));
+    // If an error occurred then lengthNeeded is set to 0 or the length of the
+    // needed buffer including NULL termination.  If it succeeds the number of
+    // wide characters not including NULL termination is returned.
+    if (lengthNeeded != 0 && lengthNeeded < NS_ARRAY_LENGTH(shortPath))
+        mShortWorkingPath.Assign(shortPath);
     else
         mShortWorkingPath.Assign(mWorkingPath);
 }