Improve handling of nulls in MultiSzInsertString and MultiSzLen

Resolves 7311
author: Rob Mensching <rob@firegiant.com> 2026-01-21 00:16:24 -0800
committer: Rob Mensching <rob@firegiant.com> 2026-01-21 12:34:07 -0800
commit: 50de1c4ee7a56e47a06c44769cea5aa2457a829b (patch)
tree: 26657b5655b97add06c7980e4ae1ce30d6e8a401 /src/libs/dutil/WixToolset.DUtil/strutil.cpp
parent: 49fbdf6f34b69a0157addcda2e28a96227a72630 (diff)
download: wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.tar.gz
wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.tar.bz2
wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.zip
1 files changed, 23 insertions, 8 deletions
diff --git a/src/libs/dutil/WixToolset.DUtil/strutil.cpp b/src/libs/dutil/WixToolset.DUtil/strutil.cpp
index 0a00c690..013c1b12 100644
--- a/src/libs/dutil/WixToolset.DUtil/strutil.cpp
+++ b/src/libs/dutil/WixToolset.DUtil/strutil.cpp
@@ -1872,9 +1872,14 @@ NOTE: returns 0 if the multisz in not properly terminated with two nulls
 extern "C" HRESULT DAPI MultiSzLen(
    __in_ecount(*pcch) __nullnullterminated LPCWSTR pwzMultiSz,
    __out SIZE_T* pcch
-)
+    )
 {
    Assert(pcch);
+    if (!pwzMultiSz)
+    {
+        *pcch = 0;
+        return S_OK;
+    }
    HRESULT hr = S_OK;
    LPCWSTR wz = pwzMultiSz;
@@ -1941,10 +1946,10 @@ extern "C" HRESULT DAPI MultiSzPrepend(
    hr = ::StringCchLengthW(pwzInsert, STRSAFE_MAX_CCH, reinterpret_cast<size_t*>(&cchInsert));
    StrExitOnRootFailure(hr, "failed to get length of insert string");
-    cchResult = cchInsert + cchMultiSz + 1;
+    cchResult = cchInsert + (cchMultiSz ? cchMultiSz : 1) + 1;
    // Allocate the result buffer
-    hr = StrAlloc(&pwzResult, cchResult + 1);
+    hr = StrAlloc(&pwzResult, cchResult);
    StrExitOnFailure(hr, "failed to allocate result string");
    // Prepend
@@ -1954,8 +1959,7 @@ extern "C" HRESULT DAPI MultiSzPrepend(
    // If there was no MULTISZ, double null terminate our result, otherwise, copy the MULTISZ in
    if (0 == cchMultiSz)
    {
-        pwzResult[cchResult] = L'\0';
+        pwzResult[cchResult - 2] = L'\0';
-        ++cchResult;
    }
    else
    {
@@ -1967,6 +1971,7 @@ extern "C" HRESULT DAPI MultiSzPrepend(
    }
    // Set the result
+    pwzResult[cchResult - 1] = L'\0';
    *ppwzMultiSz = pwzResult;
    if (pcchMultiSz)
@@ -2257,19 +2262,29 @@ extern "C" HRESULT DAPI MultiSzInsertString(
    //
    // Insert the string
    //
-    cchResult = cchMultiSz + cchString + 1;
+    cchResult = (cchMultiSz ? cchMultiSz : 1) + cchString + 1;
    hr = StrAlloc(&pwzResult, cchResult);
    StrExitOnFailure(hr, "failed to allocate result string for MULTISZ insert");
    // Copy the part before the insert
-    ::CopyMemory(pwzResult, *ppwzMultiSz, cchProgress * sizeof(WCHAR));
+    if (cchProgress)
+    {
+        ::CopyMemory(pwzResult, *ppwzMultiSz, cchProgress * sizeof(WCHAR));
+    }
    // Copy the insert part
    ::CopyMemory(pwzResult + cchProgress, pwzInsert, (cchString + 1) * sizeof(WCHAR));
    // Copy the part after the insert
-    ::CopyMemory(pwzResult + cchProgress + cchString + 1, wz, (cchMultiSz - cchProgress) * sizeof(WCHAR));
+    if (cchMultiSz > cchProgress)
+    {
+        ::CopyMemory(pwzResult + cchProgress + cchString + 1, wz, (cchMultiSz - cchProgress) * sizeof(WCHAR));
+    }
+    // Ensure double-null termination
+    pwzResult[cchResult - 1] = L'\0';
+    pwzResult[cchResult - 2] = L'\0';
    // Free the old buffer
    ReleaseNullStr(*ppwzMultiSz);
author	Rob Mensching <rob@firegiant.com>	2026-01-21 00:16:24 -0800
committer	Rob Mensching <rob@firegiant.com>	2026-01-21 12:34:07 -0800
commit	50de1c4ee7a56e47a06c44769cea5aa2457a829b (patch)
tree	26657b5655b97add06c7980e4ae1ce30d6e8a401 /src/libs/dutil/WixToolset.DUtil/strutil.cpp
parent	49fbdf6f34b69a0157addcda2e28a96227a72630 (diff)
download	wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.tar.gz wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.tar.bz2 wix-50de1c4ee7a56e47a06c44769cea5aa2457a829b.zip