From 430eab49b773887a45c3a231472ee203abd8602b Mon Sep 17 00:00:00 2001
From: Albrecht Schlosser <albrechts.fltk@online.de>
Date: Fri, 22 Jan 2010 16:56:34 +0000
Subject: Fixed a buffer overflow in fl_utf8from_mb() (STR #2279).

Todo: fix _WIN32 vs. WIN32 compiler macro issues.


git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3@7021 ea41ed52-d2ee-0310-a9c1-e6b18d33e121
---
 CHANGES      | 5 +++--
 src/fl_utf.c | 8 ++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9b7b16fad..5ebbfceae 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,10 @@
 CHANGES IN FLTK 1.3.0
 
+	- Fixed a buffer overflow in fl_utf8from_mb() (STR #2279)
 	- Fixed a Windows GDI leak when testing alpha blending capabilities
-	- Fixed a name conflict with new (VC 2008 Express) winsock2.h
+	- Fixed a name conflict with new (VS 2008 Express) winsock2.h
 	  versions and another conflict that produced compile errors
-	  with VC 2008 (STR #2301).
+	  with VS 2008 Express (STR #2301)
 	- Widgets now remove stale entries from the default callback
 	  queue when they are deleted (STR #2302)
 	- Moved OS X code base to the more moder Cocoa toolkit thanks
diff --git a/src/fl_utf.c b/src/fl_utf.c
index 5e1537894..eb130b4bf 100644
--- a/src/fl_utf.c
+++ b/src/fl_utf.c
@@ -776,13 +776,13 @@ unsigned fl_utf8from_mb(char* dst, unsigned dstlen,
 {
   if (!fl_utf8locale()) {
 #ifdef _WIN32
+#warning _WIN32 alarm
     wchar_t lbuf[1024];
     wchar_t* buf = lbuf;
     unsigned length;
     unsigned ret;
-    length =
-      MultiByteToWideChar(GetACP(), 0, src, srclen, buf, 1024);
-    if (length >= 1024) {
+    length = MultiByteToWideChar(GetACP(), 0, src, srclen, buf, 1024);
+    if ((length == 0)&&(GetLastError()==ERROR_INSUFFICIENT_BUFFER)) {
       length = MultiByteToWideChar(GetACP(), 0, src, srclen, 0, 0);
       buf = (wchar_t*)(malloc(length*sizeof(wchar_t)));
       MultiByteToWideChar(GetACP(), 0, src, srclen, buf, length);
@@ -798,7 +798,7 @@ unsigned fl_utf8from_mb(char* dst, unsigned dstlen,
     length = mbstowcs(buf, src, 1024);
     if (length >= 1024) {
       length = mbstowcs(0, src, 0)+1;
-      buf = (wchar_t*)(malloc(length*sizeof(unsigned short)));
+      buf = (wchar_t*)(malloc(length*sizeof(wchar_t)));
       mbstowcs(buf, src, length);
     }
     if (length >= 0) {
-- 
cgit v1.2.3