Bug 1000030 - Don't let Windows overwrite length 0 strings. r=dmajor, a=lsblakk
authorJames Kitchener <jkitch.bug@gmail.com>
Sat, 26 Apr 2014 04:03:00 -0400
changeset 192194 c66942faa3b2
parent 192193 4c244576343b
child 192195 4ee9435a9863
push id3519
push userryanvm@gmail.com
push date2014-05-05 16:58 +0000
Treeherderresults
reviewersdmajor, lsblakk
bugs1000030
milestone30.0
Bug 1000030 - Don't let Windows overwrite length 0 strings. r=dmajor, a=lsblakk
xpcom/ds/nsWindowsRegKey.cpp
--- a/xpcom/ds/nsWindowsRegKey.cpp
+++ b/xpcom/ds/nsWindowsRegKey.cpp
@@ -317,17 +317,17 @@ nsWindowsRegKey::ReadStringValue(const n
     // The string passed to us had a null terminator in the final position.
     result.Truncate(resultLen-1);
   }
 
   // Expand the environment variables if needed
   if (type == REG_EXPAND_SZ) {
     const nsString &flatSource = PromiseFlatString(result);
     resultLen = ExpandEnvironmentStringsW(flatSource.get(), nullptr, 0);
-    if (resultLen > 0) {
+    if (resultLen > 1) {
       nsAutoString expandedResult;
       // |resultLen| includes the terminating null character
       --resultLen;
       expandedResult.SetLength(resultLen);
       nsAString::iterator begin;
       expandedResult.BeginWriting(begin);
       if (begin.size_forward() != resultLen)
         return NS_ERROR_OUT_OF_MEMORY;
@@ -337,16 +337,19 @@ nsWindowsRegKey::ReadStringValue(const n
                                             resultLen + 1);
       if (resultLen <= 0) {
         rv = ERROR_UNKNOWN_FEATURE;
         result.Truncate();
       } else {
         rv = ERROR_SUCCESS;
         result = expandedResult;
       }
+    } else if (resultLen == 1) {
+      // It apparently expands to nothing (just a null terminator).
+      result.Truncate();
     }
   }
 
   return (rv == ERROR_SUCCESS) ? NS_OK : NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP
 nsWindowsRegKey::ReadIntValue(const nsAString &name, uint32_t *result)
@@ -382,16 +385,21 @@ nsWindowsRegKey::ReadBinaryValue(const n
 
   DWORD size;
   LONG rv = RegQueryValueExW(mKey, PromiseFlatString(name).get(), 0,
                              nullptr, nullptr, &size);
 
   if (rv != ERROR_SUCCESS)
     return NS_ERROR_FAILURE;
 
+  if (!size) {
+    result.Truncate();
+    return NS_OK;
+  }
+
   result.SetLength(size);
   nsACString::iterator begin;
   result.BeginWriting(begin);
   if (begin.size_forward() != size)
     return NS_ERROR_OUT_OF_MEMORY;
 
   rv = RegQueryValueExW(mKey, PromiseFlatString(name).get(), 0, nullptr,
                         (LPBYTE) begin.get(), &size);