commit b367e902c9cafb1dfa5f35e52bf89377dd608ac6
author Jeff Latimer <lats@yless4u.com.au> Tue Apr 27 22:43:34 2010 +1000
committer Alexandre Julliard <julliard@winehq.org> Tue Apr 27 14:38:03 2010 -0500
tree 38f5ef504a3e82863da16caff9873e3b49372409
parent 6c0e61cd65c5a9bacb46608c116d99e81bd12131

usp10: Check that there are sufficient script_items before setting the last pointer.

dlls/usp10/usp10.c

diff --git a/dlls/usp10/usp10.c b/dlls/usp10/usp10.c
index 201a74a..eebc8ab 100644
--- a/dlls/usp10/usp10.c
+++ b/dlls/usp10/usp10.c
@@ -669,16 +669,17 @@
     /* While not strictly necessary according to the spec, make sure the n+1
      * item is set up to prevent random behaviour if the caller erroneously
      * checks the n+1 structure                                              */
-    memset(&pItems[index+1].a, 0, sizeof(SCRIPT_ANALYSIS));
+    index++;
+    memset(&pItems[index].a, 0, sizeof(SCRIPT_ANALYSIS));
 
-    TRACE("index=%d cnt=%d iCharPos=%d\n", index+1, cnt, pItems[index+1].iCharPos);
+    TRACE("index=%d cnt=%d iCharPos=%d\n", index, cnt, pItems[index].iCharPos);
 
     /*  Set one SCRIPT_STATE item being returned  */
-    if (pcItems) *pcItems = index + 1;
+    if  (index + 1 > cMaxItems) return E_OUTOFMEMORY;
+    if (pcItems) *pcItems = index;
 
     /*  Set SCRIPT_ITEM                                     */
-    pItems[index+1].iCharPos = cnt;       /* the last + 1 item
-                                             contains the ptr to the lastchar */
+    pItems[index].iCharPos = cnt;         /* the last item contains the ptr to the lastchar */
     heap_free(levels);
     return S_OK;
 }