Calling SLPBufferAlloc with 0xFFFFFFFF as the size on x86 returns a valid(-ish) SLPBuffer pointer with SLPBuffer.allocated = 0xFFFFFFFF.
The "sizeof(struct _SLPBuffer) + size + 1" math wraps and allows xmalloc to "succeed".
Log in to post a comment.