crypt32: Don't copy past end of buffer when removing the last string in a multistring.

diff --git a/dlls/crypt32/oid.c b/dlls/crypt32/oid.c
index dfa1a678ee30a1594efc994411e6bff5b33b7b5e..e107bbdea68b3429c6ca5c95c2552a4247ea8235 100644 (file)
--- a/dlls/crypt32/oid.c
+++ b/dlls/crypt32/oid.c
@@ -956,9 +956,18 @@ static BOOL CRYPT_RemoveStringFromMultiString(LPWSTR multi, LPCWSTR toRemove)
     {
         DWORD len = CRYPT_GetMultiStringCharacterLen(multi);
 
-        /* Copy remainder of string "left" */
-        memmove(spotToRemove, spotToRemove + lstrlenW(toRemove) + 1,
-         (len - (spotToRemove - multi)) * sizeof(WCHAR));
+        if (spotToRemove + lstrlenW(toRemove) + 2 >= multi + len)
+        {
+            /* Removing last string in list, terminate multi string directly */
+            *spotToRemove = 0;
+            *(spotToRemove + 1) = 0;
+        }
+        else
+        {
+            /* Copy remainder of string "left" */
+            memmove(spotToRemove, spotToRemove + lstrlenW(toRemove) + 1,
+             (len - (spotToRemove - multi)) * sizeof(WCHAR));
+        }
         ret = TRUE;
     }
     else