From 33e35025ec2d53ac24a5d3df4af883493c8aa68b Mon Sep 17 00:00:00 2001
From: Piotr Caban <piotr.caban@gmail.com>
Date: Wed, 23 Jul 2008 16:39:51 +0200
Subject: [PATCH] msxml3: Fix for accessing uninitialized memory.

---
 dlls/msxml3/saxreader.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/dlls/msxml3/saxreader.c b/dlls/msxml3/saxreader.c
index ef3c7e8f49c..3b67d019f86 100644
--- a/dlls/msxml3/saxreader.c
+++ b/dlls/msxml3/saxreader.c
@@ -1130,12 +1130,26 @@ static HRESULT WINAPI isaxxmlreader_parse(
             data = xmlChar_from_wchar(V_BSTR(&varInput));
             xmlSetupParserForBuffer(locator->pParserCtxt, data, NULL);
             break;
-        case VT_ARRAY|VT_UI1:
-            hr = SafeArrayAccessData(V_ARRAY(&varInput), (void**)&data);
+        case VT_ARRAY|VT_UI1: {
+            void *pSAData;
+            LONG lBound, uBound;
+            ULONG dataRead;
+
+            hr = SafeArrayGetLBound(V_ARRAY(&varInput), 1, &lBound);
+            if(hr != S_OK) break;
+            hr = SafeArrayGetUBound(V_ARRAY(&varInput), 1, &uBound);
             if(hr != S_OK) break;
+            dataRead = (uBound-lBound)*SafeArrayGetElemsize(V_ARRAY(&varInput));
+            data = HeapAlloc(GetProcessHeap(), 0, dataRead+1);
+            if(!data) break;
+            hr = SafeArrayAccessData(V_ARRAY(&varInput), (void**)&pSAData);
+            if(hr != S_OK) break;
+            memcpy(data, pSAData, dataRead);
+            data[dataRead] = '\0';
             xmlSetupParserForBuffer(locator->pParserCtxt, data, NULL);
             SafeArrayUnaccessData(V_ARRAY(&varInput));
             break;
+        }
         case VT_UNKNOWN:
         case VT_DISPATCH: {
             IPersistStream *persistStream;
-- 
2.11.4.GIT