From 60785064c51f9b9963a19fbaa3d09b1508441aae Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Mon, 30 Apr 2012 14:19:57 +0200
Subject: [PATCH] kernel32: Fix buffer overflows in K32GetModuleFileNameExA/W.
 (cherry picked from commit d08f34cd8ecd883a0f0c6bd9b150d92407f0f7c9)

---
 dlls/kernel32/module.c | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/dlls/kernel32/module.c b/dlls/kernel32/module.c
index 7d4d93b5e1b..c65df186431 100644
--- a/dlls/kernel32/module.c
+++ b/dlls/kernel32/module.c
@@ -1239,17 +1239,26 @@ DWORD WINAPI K32GetModuleFileNameExW(HANDLE process, HMODULE module,
                                      LPWSTR file_name, DWORD size)
 {
     LDR_MODULE ldr_module;
+    DWORD len;
+
+    if (!size) return 0;
 
     if(!get_ldr_module(process, module, &ldr_module))
         return 0;
 
-    size = min(ldr_module.FullDllName.Length / sizeof(WCHAR), size);
+    len = ldr_module.FullDllName.Length / sizeof(WCHAR);
+    if (size <= len)
+    {
+        len = size;
+        size--;
+    }
+
     if (!ReadProcessMemory(process, ldr_module.FullDllName.Buffer,
                            file_name, size * sizeof(WCHAR), NULL))
         return 0;
 
     file_name[size] = 0;
-    return size;
+    return len;
 }
 
 /***********************************************************************
@@ -1259,32 +1268,42 @@ DWORD WINAPI K32GetModuleFileNameExA(HANDLE process, HMODULE module,
                                      LPSTR file_name, DWORD size)
 {
     WCHAR *ptr;
+    DWORD len;
 
     TRACE("(hProcess=%p, hModule=%p, %p, %d)\n", process, module, file_name, size);
 
-    if (!file_name || !size) return 0;
+    if (!file_name || !size)
+    {
+        SetLastError( ERROR_INVALID_PARAMETER );
+        return 0;
+    }
 
     if ( process == GetCurrentProcess() )
     {
-        DWORD len = GetModuleFileNameA( module, file_name, size );
+        len = GetModuleFileNameA( module, file_name, size );
         if (size) file_name[size - 1] = '\0';
         return len;
     }
 
     if (!(ptr = HeapAlloc(GetProcessHeap(), 0, size * sizeof(WCHAR)))) return 0;
 
-    if (!K32GetModuleFileNameExW(process, module, ptr, size))
+    len = K32GetModuleFileNameExW(process, module, ptr, size);
+    if (!len)
     {
         file_name[0] = '\0';
     }
     else
     {
         if (!WideCharToMultiByte( CP_ACP, 0, ptr, -1, file_name, size, NULL, NULL ))
+        {
             file_name[size - 1] = 0;
+            len = size;
+        }
+        else if (len < size) len = strlen( file_name );
     }
 
     HeapFree(GetProcessHeap(), 0, ptr);
-    return strlen(file_name);
+    return len;
 }
 
 /***********************************************************************
-- 
2.11.4.GIT