Bug in conversion of UTF8 to wchar
|Reported by:||andyr||Owned by:|
See patch... the present code fails to decrement srcLen in the inner loop, which results in psz being incremented past the end of the input buffer, garbage characters being added to the output, and the returned size being too large. Of course this only happens when there are multi-byte utf8 chars present.
The reason no-one's noticed is that:
- although the returned string is too long, it does contain a null byte in the right place, so the extra garbage chars may not be noticed.
- psz reads beyond the end of the input but this is only noticed if it causes an illegal address crash, which it frequently doesn't.