From 9243c96e015a51b399194f62dd73d321d22e05b0 Mon Sep 17 00:00:00 2001
From: Mike McCormack <mike@codeweavers.com>
Date: Mon, 12 Jul 2004 20:42:30 +0000
Subject: [PATCH] - CopyAcceleratorTable can cause a buffer overflow because it
 uses an   incorrect comparison between the number of accelerator entries  
 available and the number of accelerator entries in the output buffer. - My
 tests show that CopyAcceleratorTable always strips the high bit   of the
 fVirt member of the accel struct. - Calling DestroyAcceleratorTable with a
 NULL accelerator should   return FALSE.

---
 dlls/user/resource.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dlls/user/resource.c b/dlls/user/resource.c
index 61860f21d15..6a54a0c0455 100644
--- a/dlls/user/resource.c
+++ b/dlls/user/resource.c
@@ -160,7 +160,7 @@ INT WINAPI CopyAcceleratorTableW(HACCEL src, LPACCEL dst,
     return 0;
   }
   xsize = GlobalSize16(HACCEL_16(src))/sizeof(ACCEL16);
-  if (xsize>entries) entries=xsize;
+  if (xsize<entries) entries=xsize;
 
   i=0;
   while(!done) {
@@ -171,15 +171,13 @@ INT WINAPI CopyAcceleratorTableW(HACCEL src, LPACCEL dst,
     /* Copy data to the destination structure array (if dst == NULL,
        we're just supposed to count the number of entries). */
     if(dst) {
-      dst[i].fVirt = accel[i].fVirt;
+      dst[i].fVirt = accel[i].fVirt&0x7f;
       dst[i].key = accel[i].key;
       dst[i].cmd = accel[i].cmd;
 
       /* Check if we've reached the end of the application supplied
          accelerator table. */
       if(i+1 == entries) {
-	/* Turn off the high order bit, just in case. */
-	dst[i].fVirt &= 0x7f;
 	done = TRUE;
       }
     }
@@ -308,6 +306,8 @@ HACCEL WINAPI CreateAcceleratorTableW(LPACCEL lpaccel, INT cEntries)
  */
 BOOL WINAPI DestroyAcceleratorTable( HACCEL handle )
 {
+    if( !handle )
+        return FALSE;
     return !GlobalFree16(HACCEL_16(handle));
 }
 
-- 
2.11.4.GIT