fixed possible buffer overflow in windows_error_str()pbr299

* also added removal of CR/LF

1 files changed, 9 insertions, 4 deletions

diff --git a/libusb/os/windows_usb.c b/libusb/os/windows_usb.c
index 9311dbf..e15d158 100644
--- a/libusb/os/windows_usb.c
+++ b/libusb/os/windows_usb.c
@@ -217,23 +217,28 @@ static char *windows_error_str(uint32_t retval)
 static char err_string[ERR_BUFFER_SIZE];
 
 	DWORD size;
+	size_t i;
 	uint32_t error_code, format_error;
 
 	error_code = retval?retval:GetLastError();
 
 	safe_sprintf(err_string, ERR_BUFFER_SIZE, "[%d] ", error_code);
 
-	size = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error_code,
+	size = FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error_code,
 		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &err_string[safe_strlen(err_string)],
-		ERR_BUFFER_SIZE, NULL);
-	if (size == 0)
-	{
+		ERR_BUFFER_SIZE - (DWORD)safe_strlen(err_string), NULL);
+	if (size == 0) {
 		format_error = GetLastError();
 		if (format_error)
 			safe_sprintf(err_string, ERR_BUFFER_SIZE,
 				"Windows error code %u (FormatMessage error code %u)", error_code, format_error);
 		else
 			safe_sprintf(err_string, ERR_BUFFER_SIZE, "Unknown error code %u", error_code);
+	} else {
+		// Remove CR/LF terminators
+		for (i=safe_strlen(err_string)-1; ((err_string[i]==0x0A) || (err_string[i]==0x0D)); i--) {
+			err_string[i] = 0;
+		}
 	}
 	return err_string;
 }