Ensure reg values are null terminated

RegQueryValueExW doesn't guarantee the returned buffer for the `lpcbData`
parameter is null terminated, so ensure that it is.

For REG_SZ & REG_EXPAND_SZ extend the buffer by 1 wchar (2 bytes) so we can
write a wide null terminator that is guaranteed not to overwrite user data. If
Windows doesn't null terminate the string, then it will have the following byte
sequence (as UTF-16LE):

    \x41 \x00 \x42 \x00 \x00

If Windows does null terminate, then we will add an extra wide null terminator,
which won't hurt anything:

    \x41 \x00 \x42 \x00 \x00 \x00 \x00

The same applies to REG_MULTI_SZ, except it is supposed to have two wide null
terminators (4 bytes). One terminator is for the last string in the array, and
one terminator is for the entire array. For example, if the array contains the
strings ['A', 'B'], then in UTF-16LE it should be represented as the following:

    \x41 \x00 \x00 \x00
    \x42 \x00 \x00 \x00
    \x00 \x00

Where the overall binary string ends with 2 wide null terminators.

Author: joshcooper

lib/puppet/util/windows/registry.rb

@@ -273,12 +273,43 @@ def query_value_ex(key, name_ptr, &block)
                                     FFI::Pointer::NULL, type_ptr,
                                     FFI::Pointer::NULL, length_ptr)
 
-          FFI::MemoryPointer.new(:byte, length_ptr.read_dword) do |buffer_ptr|
+          # The call to RegQueryValueExW below is potentially unsafe:
+          # https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexw
+          #
+          #   "If the data has the REG_SZ, REG_MULTI_SZ or REG_EXPAND_SZ type,
+          #   the string may not have been stored with the proper terminating
+          #   null characters. Therefore, even if the function returns
+          #   ERROR_SUCCESS, the application should ensure that the string is
+          #   properly terminated before using it; otherwise, it may overwrite a
+          #   buffer. (Note that REG_MULTI_SZ strings should have two
+          #   terminating null characters.)"
+          #
+          # Since we don't know if the values will be properly null terminated,
+          # extend the buffer to guarantee we can append one or two wide null
+          # characters, without overwriting any data.
+          buf_bytes_len = case type_ptr.read_dword
+                          when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
+                            length_ptr.read_dword + WCHAR_SIZE
+                          when Win32::Registry::REG_MULTI_SZ
+                            length_ptr.read_dword + (WCHAR_SIZE * 2)
+                          else
+                            length_ptr.read_dword
+						              end
+
+          FFI::MemoryPointer.new(:byte, buf_bytes_len) do |buffer_ptr|
             result = RegQueryValueExW(key.hkey, name_ptr,
                                       FFI::Pointer::NULL, type_ptr,
                                       buffer_ptr, length_ptr)
 
-            if result != FFI::ERROR_SUCCESS
+            if result == FFI::ERROR_SUCCESS
+              case type_ptr.read_dword
+              when Win32::Registry::REG_SZ, Win32::Registry::REG_EXPAND_SZ
+                buffer_ptr.put_uint16(buf_bytes_len - WCHAR_SIZE, 0)
+              when Win32::Registry::REG_MULTI_SZ
+                buffer_ptr.put_uint16(buf_bytes_len - WCHAR_SIZE - WCHAR_SIZE, 0)
+				        buffer_ptr.put_uint16(buf_bytes_len - WCHAR_SIZE, 0)
+              end
+            else
               # buffer is raw bytes, *not* chars - less a NULL terminator
               name_length = (name_ptr.size / WCHAR_SIZE) - 1 if name_ptr.size > 0
               msg = _("Failed to read registry value %{value} at %{key}") % { value: name_ptr.read_wide_string(name_length), key: key.keyname }