From e58a67e9cd19bc1aef646e8f3fadaf0c490b38de Mon Sep 17 00:00:00 2001
From: Hans Leidekker <hans@codeweavers.com>
Date: Fri, 24 Sep 2010 17:09:04 +0200
Subject: [PATCH] msi: Avoid accessing memory before the left hand string in
 compare_substring.

---
 dlls/msi/cond.y | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/dlls/msi/cond.y b/dlls/msi/cond.y
index 9a7a16d67df..03ea4938ade 100644
--- a/dlls/msi/cond.y
+++ b/dlls/msi/cond.y
@@ -462,11 +462,21 @@ static INT compare_substring( LPCWSTR a, INT operator, LPCWSTR b )
     case COND_LHS:
     	return 0 == strncmpW( a, b, lstrlenW( b ) );
     case COND_RHS:
-    	return 0 == lstrcmpW( a + (lstrlenW( a ) - lstrlenW( b )), b );
+    {
+        int l = lstrlenW( a );
+        int r = lstrlenW( b );
+        if (r > l) return 0;
+        return 0 == lstrcmpW( a + (l - r), b );
+    }
     case COND_ILHS:
     	return 0 == strncmpiW( a, b, lstrlenW( b ) );
     case COND_IRHS:
-        return 0 == lstrcmpiW( a + (lstrlenW( a ) - lstrlenW( b )), b );
+    {
+        int l = lstrlenW( a );
+        int r = lstrlenW( b );
+        if (r > l) return 0;
+        return 0 == lstrcmpiW( a + (l - r), b );
+    }
     default:
     	ERR("invalid substring operator\n");
         return 0;
-- 
2.11.4.GIT