From 408fa486e3c6c9d7fb0456ad68f60682b772b2ce Mon Sep 17 00:00:00 2001
From: Thomas Bluemel <thomas@reactsoft.com>
Date: Sun, 11 Dec 2005 22:13:46 +0000
Subject: [PATCH] fixed uninitialized variable warnings and possible buffer
 overflows when reading strings from the registry that aren't NULL-terminated

svn path=/trunk/; revision=20088
---
 reactos/lib/setupapi/devinst.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/reactos/lib/setupapi/devinst.c b/reactos/lib/setupapi/devinst.c
index 2faf7ae5261..6bbfabacb9c 100644
--- a/reactos/lib/setupapi/devinst.c
+++ b/reactos/lib/setupapi/devinst.c
@@ -1872,13 +1872,14 @@ static BOOL GetIconIndex(
         SetLastError(ERROR_NOT_ENOUGH_MEMORY);
         goto cleanup;
     }
-    Buffer[dwLength / sizeof(WCHAR)] = 0;
     rc = RegQueryValueExW(hClassKey, L"Icon", NULL, NULL, (LPBYTE)Buffer, &dwLength);
     if (rc != ERROR_SUCCESS)
     {
         SetLastError(rc);
         goto cleanup;
     }
+    /* make sure the returned buffer is NULL-terminated */
+    Buffer[dwLength / sizeof(WCHAR)] = 0;
 
     /* Transform "Icon" value to a INT */
     *ImageIndex = atoiW(Buffer);
@@ -2065,7 +2066,7 @@ BOOL WINAPI SetupDiLoadClassIcon(
             rc = RegQueryValueExW(hKey, L"Installer32", NULL, &dwRegType, NULL, &dwLength);
             if (rc == ERROR_SUCCESS && dwRegType == REG_SZ)
             {
-                Buffer = MyMalloc(dwLength);
+                Buffer = MyMalloc(dwLength + sizeof(WCHAR));
                 if (Buffer == NULL)
                 {
                     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
@@ -2077,12 +2078,14 @@ BOOL WINAPI SetupDiLoadClassIcon(
                     SetLastError(rc);
                     goto cleanup;
                 }
+                /* make sure the returned buffer is NULL-terminated */
+                Buffer[dwLength / sizeof(WCHAR)] = 0;
             }
             else if
                 (ERROR_SUCCESS == (rc = RegQueryValueExW(hKey, L"EnumPropPages32", NULL, &dwRegType, NULL, &dwLength))
                 && dwRegType == REG_SZ)
             {
-                Buffer = MyMalloc(dwLength);
+                Buffer = MyMalloc(dwLength + sizeof(WCHAR));
                 if (Buffer == NULL)
                 {
                     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
@@ -2094,6 +2097,8 @@ BOOL WINAPI SetupDiLoadClassIcon(
                     SetLastError(rc);
                     goto cleanup;
                 }
+                /* make sure the returned buffer is NULL-terminated */
+                Buffer[dwLength / sizeof(WCHAR)] = 0;
             }
             else
             {
@@ -2108,6 +2113,7 @@ BOOL WINAPI SetupDiLoadClassIcon(
                 goto cleanup;
             }
             *Comma = '\0';
+            DllName = Buffer;
         }
         else
         {
-- 
2.17.1