#733 Buffer overflow in win32print.DeviceCapabilities PyWin32 build 219

[Peter Tuthill]

Build 219.

I've had the following strings returned from calls to win32print.DeviceCapabilities fetching DC_BINNAMES.

"Tray 1\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0Џ"
"MPF\u0000MPF\u0000 2\u0000\u0018\u0000\u0000\u0000\ufffe\uffff\uffff\uffff\u0000\u0000\u0000\u0000\ua2f0"

This combination of bytes is not valid utf-8 and I'm near certain I'm looking at a buffer overflow.

From https://msdn.microsoft.com/en-us/library/windows/desktop/dd183552(v=vs.85).aspx

"Each string buffer is 24 characters long and contains the name of a paper bin.... The name strings are null-terminated unless the name is 24 characters long."

I'm not a c/c++ programmer but looking at the source code I don't think this is implemented correctly. See, https://github.com/arizvisa/pywin32/blob/windows-219/win32/src/win32print/win32print.cpp line 2121 to 2132.

There seems to be a check which looks to the last byte which I'm not sure is needed and a asumption that the string would not contain a zero byte if 24 chars are returned.