ole32: Fix buffer overrun in CLIPFORMAT_UserMarshal.

The string in format is nul-terminated so use memcpy to copy it into the buffer and don't try to nul-terminate it manually which causes a write outside of the allocated buffer length. Fix a similar off-by-one error in CLIPFORMAT_UserUnmarshal too. This time it is only reading from beyond the buffer.
2025-04-01 07:31:34 +00:00 · 2009-11-20 14:37:13 +00:00 · 2009-11-20 14:37:13 +00:00 · d1db29e801
commit d1db29e801
parent bacbfb481a
1 changed files with 4 additions and 6 deletions
--- a/dlls/ole32/usrmarshal.c
+++ b/dlls/ole32/usrmarshal.c
@ -170,11 +170,9 @@ unsigned char * __RPC_USER CLIPFORMAT_UserMarshal(ULONG *pFlags, unsigned char *
        pBuffer += sizeof(UINT);
        *(UINT *)pBuffer = len;
        pBuffer += sizeof(UINT);
-        TRACE("marshaling format name %s\n", debugstr_wn(format, len-1));
-        lstrcpynW((LPWSTR)pBuffer, format, len);
+        TRACE("marshaling format name %s\n", debugstr_w(format));
+        memcpy(pBuffer, format, len * sizeof(WCHAR));
        pBuffer += len * sizeof(WCHAR);
-        *(WCHAR *)pBuffer = '\0';
-        pBuffer += sizeof(WCHAR);
    }
    else
    {
@ -238,11 +236,11 @@ unsigned char * __RPC_USER CLIPFORMAT_UserUnmarshal(ULONG *pFlags, unsigned char
        if (*(UINT *)pBuffer != len)
            RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
        pBuffer += sizeof(UINT);
-        if (((WCHAR *)pBuffer)[len] != '\0')
+        if (((WCHAR *)pBuffer)[len - 1] != '\0')
            RaiseException(RPC_S_INVALID_BOUND, 0, 0, NULL);
        TRACE("unmarshaling clip format %s\n", debugstr_w((LPCWSTR)pBuffer));
        cf = RegisterClipboardFormatW((LPCWSTR)pBuffer);
-        pBuffer += (len + 1) * sizeof(WCHAR);
+        pBuffer += len * sizeof(WCHAR);
        if (!cf)
            RaiseException(DV_E_CLIPFORMAT, 0, 0, NULL);
        *pCF = cf;