Bug 1000030 - Don't let Windows overwrite length 0 strings. r=dmajor, a=lsblakk
authorJames Kitchener <jkitch.bug@gmail.com>
Sat, 26 Apr 2014 04:03:00 -0400
changeset 193219 c66942faa3b2ea2f6d7f9276a8427499ae273932
parent 193218 4c244576343bfda90471272c0f42200559fc9380
child 193220 4ee9435a98636727fb21db4e1f1b9efc725d70a4
push id474
push userasasaki@mozilla.com
push dateMon, 02 Jun 2014 21:01:02 +0000
treeherdermozilla-release@967f4cf1b31c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdmajor, lsblakk
bugs1000030
milestone30.0
Bug 1000030 - Don't let Windows overwrite length 0 strings. r=dmajor, a=lsblakk
xpcom/ds/nsWindowsRegKey.cpp
--- a/xpcom/ds/nsWindowsRegKey.cpp
+++ b/xpcom/ds/nsWindowsRegKey.cpp
@@ -317,17 +317,17 @@ nsWindowsRegKey::ReadStringValue(const n
     // The string passed to us had a null terminator in the final position.
     result.Truncate(resultLen-1);
   }
 
   // Expand the environment variables if needed
   if (type == REG_EXPAND_SZ) {
     const nsString &flatSource = PromiseFlatString(result);
     resultLen = ExpandEnvironmentStringsW(flatSource.get(), nullptr, 0);
-    if (resultLen > 0) {
+    if (resultLen > 1) {
       nsAutoString expandedResult;
       // |resultLen| includes the terminating null character
       --resultLen;
       expandedResult.SetLength(resultLen);
       nsAString::iterator begin;
       expandedResult.BeginWriting(begin);
       if (begin.size_forward() != resultLen)
         return NS_ERROR_OUT_OF_MEMORY;
@@ -337,16 +337,19 @@ nsWindowsRegKey::ReadStringValue(const n
                                             resultLen + 1);
       if (resultLen <= 0) {
         rv = ERROR_UNKNOWN_FEATURE;
         result.Truncate();
       } else {
         rv = ERROR_SUCCESS;
         result = expandedResult;
       }
+    } else if (resultLen == 1) {
+      // It apparently expands to nothing (just a null terminator).
+      result.Truncate();
     }
   }
 
   return (rv == ERROR_SUCCESS) ? NS_OK : NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP
 nsWindowsRegKey::ReadIntValue(const nsAString &name, uint32_t *result)
@@ -382,16 +385,21 @@ nsWindowsRegKey::ReadBinaryValue(const n
 
   DWORD size;
   LONG rv = RegQueryValueExW(mKey, PromiseFlatString(name).get(), 0,
                              nullptr, nullptr, &size);
 
   if (rv != ERROR_SUCCESS)
     return NS_ERROR_FAILURE;
 
+  if (!size) {
+    result.Truncate();
+    return NS_OK;
+  }
+
   result.SetLength(size);
   nsACString::iterator begin;
   result.BeginWriting(begin);
   if (begin.size_forward() != size)
     return NS_ERROR_OUT_OF_MEMORY;
 
   rv = RegQueryValueExW(mKey, PromiseFlatString(name).get(), 0, nullptr,
                         (LPBYTE) begin.get(), &size);