summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Gaynor <agaynor@mozilla.com>2019-02-07 14:08:09 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-02-07 14:08:09 +0100
commit0b6d9a47051be9ef4d064c6f7c60717da91d0bc2 (patch)
treecae411f553b97800e518e6bf79b7860fdb8d3dc6
parent6567bb631a78033b6b4cc32bc93e07d837652276 (diff)
downloadUXP-0b6d9a47051be9ef4d064c6f7c60717da91d0bc2.tar
UXP-0b6d9a47051be9ef4d064c6f7c60717da91d0bc2.tar.gz
UXP-0b6d9a47051be9ef4d064c6f7c60717da91d0bc2.tar.lz
UXP-0b6d9a47051be9ef4d064c6f7c60717da91d0bc2.tar.xz
UXP-0b6d9a47051be9ef4d064c6f7c60717da91d0bc2.zip
Handle pasted data of certain types with an odd length.
-rw-r--r--widget/windows/nsClipboard.cpp11
1 files changed, 7 insertions, 4 deletions
diff --git a/widget/windows/nsClipboard.cpp b/widget/windows/nsClipboard.cpp
index 0db1dd342..432badeb5 100644
--- a/widget/windows/nsClipboard.cpp
+++ b/widget/windows/nsClipboard.cpp
@@ -283,16 +283,19 @@ nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void ** aData, uint32_t * aLe
{
// Allocate a new memory buffer and copy the data from global memory.
// Recall that win98 allocates to nearest DWORD boundary. As a safety
- // precaution, allocate an extra 2 bytes (but don't report them!) and
- // null them out to ensure that all of our strlen calls will succeed.
+ // precaution, allocate an extra 3 bytes (but don't report them in |aLen|!)
+ // and null them out to ensure that all of our NS_strlen calls will succeed.
+ // NS_strlen operates on char16_t, so we need 3 NUL bytes to ensure it finds
+ // a full NUL char16_t when |*aLen| is odd.
nsresult result = NS_ERROR_FAILURE;
if (aHGBL != nullptr) {
LPSTR lpStr = (LPSTR) GlobalLock(aHGBL);
DWORD allocSize = GlobalSize(aHGBL);
- char* data = static_cast<char*>(malloc(allocSize + sizeof(char16_t)));
+ char* data = static_cast<char*>(malloc(allocSize + 3));
if ( data ) {
memcpy ( data, lpStr, allocSize );
- data[allocSize] = data[allocSize + 1] = '\0'; // null terminate for safety
+ data[allocSize] = data[allocSize + 1] = data[allocSize + 2] =
+ '\0'; // null terminate for safety
GlobalUnlock(aHGBL);
*aData = data;