From: Paul Gofman <pgofman@codeweavers.com>
Subject: [PATCH] kernelbase: Fix string size variable overflow in GetModuleFileNameW().
Message-Id: <20211004092110.31052-1-pgofman@codeweavers.com>
Date: Mon,  4 Oct 2021 12:21:10 +0300

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=51833
Signed-off-by: Paul Gofman <pgofman@codeweavers.com>
---
 dlls/kernel32/tests/module.c | 5 +++++
 dlls/kernelbase/loader.c     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/dlls/kernel32/tests/module.c b/dlls/kernel32/tests/module.c
index 2487b9d65ab..60654754302 100644
--- a/dlls/kernel32/tests/module.c
+++ b/dlls/kernel32/tests/module.c
@@ -190,6 +190,11 @@ static void testGetModuleFileName(const char* name)
 
     ok(len1A / 2 == len2A,
        "Correct length in GetModuleFilenameA with buffer too small (%d/%d)\n", len1A / 2, len2A);
+
+    len1A = GetModuleFileNameA(hMod, bufA, 0x10000);
+    ok(len1A > 0, "Getting module filename for handle %p\n", hMod);
+    len1W = GetModuleFileNameW(hMod, bufW, 0x10000);
+    ok(len1W > 0, "Getting module filename for handle %p\n", hMod);
 }
 
 static void testGetModuleFileName_Wrong(void)
diff --git a/dlls/kernelbase/loader.c b/dlls/kernelbase/loader.c
index 145d721bc26..b2bbdc29234 100644
--- a/dlls/kernelbase/loader.c
+++ b/dlls/kernelbase/loader.c
@@ -311,7 +311,7 @@ DWORD WINAPI DECLSPEC_HOTPATCH GetModuleFileNameW( HMODULE module, LPWSTR filena
     }
 
     name.Buffer = filename;
-    name.MaximumLength = size * sizeof(WCHAR);
+    name.MaximumLength = min( size, (USHORT)~0 / sizeof(WCHAR) ) * sizeof(WCHAR);
     status = LdrGetDllFullName( module, &name );
     if (!status || status == STATUS_BUFFER_TOO_SMALL) len = name.Length / sizeof(WCHAR);
     SetLastError( RtlNtStatusToDosError( status ));

-- 
2.31.1