W32: pass argc returned by CommandLineToArgvW() to to protect_wargv()

It turns out that CommandLineToArgvW() (at least on XP) doesn't end the argv pointer array with a NULL, but goes straight into argv[0] string data, as per MSDN. So gspawn-win32-helper.c:protect_wargv() counts argc too high and overflows. https://bugzilla.gnome.org/show_bug.cgi?id=772054
2025-02-26 20:22:11 +01:00 · 2016-09-27 15:28:09 +00:00 · 2016-09-27 15:28:09 +00:00 · 7485abe481
commit 7485abe481
parent 34751ad17a
1 changed files with 3 additions and 5 deletions
--- a/glib/gspawn-win32-helper.c
+++ b/glib/gspawn-win32-helper.c
@ -70,14 +70,12 @@ write_err_and_exit (gint    fd,
 /* Copy of protect_argv that handles wchar_t strings */

 static gint
-protect_wargv (wchar_t  **wargv,
+protect_wargv (gint       argc,
+	       wchar_t  **wargv,
 	       wchar_t ***new_wargv)
 {
  gint i;
-  gint argc = 0;
  
-  while (wargv[argc])
-    ++argc;
  *new_wargv = g_new (wchar_t *, argc+1);

  /* Quote each argv element if necessary, so that it will get
@ -350,7 +348,7 @@ main (int ignored_argc, char **ignored_argv)
  /* For the program name passed to spawnv(), don't use the quoted
   * version.
   */
-  protect_wargv (wargv + argv_zero_offset, &new_wargv);
+  protect_wargv (argc, wargv + argv_zero_offset, &new_wargv);

  if (argv[ARG_USE_PATH][0] == 'y')
    handle = _wspawnvp (mode, wargv[ARG_PROGRAM], (const wchar_t **) new_wargv);