msi: Prevent array underflow in MsiFormat when measuring with zero-length buffer.

dlls/msi/format.c

@@ -639,10 +639,15 @@ UINT MSI_FormatRecordA( MSIPACKAGE* package, MSIRECORD* record, LPSTR buffer,
 
     len = deformat_string_internal(package,rec,&deformated,strlenW(rec),
                                    record, NULL);
+    /* If len is zero then WideCharToMultiByte will return 0 indicating 
+     * failure, but that will do just as well since we are ignoring
+     * possible errors.
+     */
     lenA = WideCharToMultiByte(CP_ACP,0,deformated,len,NULL,0,NULL,NULL);
 
     if (buffer)
     {
+        /* Ditto above */
         WideCharToMultiByte(CP_ACP,0,deformated,len,buffer,*size,NULL, NULL);
         if (*size>lenA)
         {
@@ -652,7 +657,8 @@ UINT MSI_FormatRecordA( MSIPACKAGE* package, MSIRECORD* record, LPSTR buffer,
         else
         {
             rc = ERROR_MORE_DATA;
-            buffer[(*size)-1] = 0;    
+            if (*size)
+                buffer[(*size)-1] = 0;
         }
     }
     else

dlls/msi/tests/format.c

@@ -109,7 +109,7 @@ static void test_formatrecord(void)
     char buffer[100];
     MSIHANDLE hrec;
     UINT r;
-    DWORD sz=100;
+    DWORD sz;
 
     r = MsiFormatRecord(0, 0, NULL, NULL );
     ok( r == ERROR_INVALID_HANDLE, "wrong error\n");
@@ -122,6 +122,11 @@ static void test_formatrecord(void)
     ok( r == ERROR_SUCCESS, "format failed\n");
     buffer[0] = 'x';
     buffer[1] = 0;
+    sz=0;
+    r = MsiFormatRecord(0, hrec, buffer+1, &sz);
+    ok( r == ERROR_MORE_DATA && buffer[0] == 'x', "format failed measuring with buffer\n");
+    ok( sz == 16, "size wrong\n");
+    sz=100;
     r = MsiFormatRecord(0, hrec, buffer, &sz);
     ok( r == ERROR_SUCCESS, "format failed with empty buffer\n");
     ok( sz == 16, "size wrong\n");