reactos/wine
1
0
Fork 0
mirror of https://github.com/reactos/wine.git synced 2025-02-19 20:31:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

wininet: Fix potential buffer overrun in HttpQueryInfoA.

Browse Source 
If HTTP_QUERY_CUSTOM is specified then the buffer contains a
null-terminated string on input and data of length len on output. The
code wasn't taking into account that the input len could be less than
the length of the string and thus could result in the allocated buffer
being overrun with the call to WideCharToMultiByte.
This commit is contained in:
Rob Shearman 2008-02-18 19:37:35 +00:00 committed by Alexandre Julliard
parent 39dce04658
commit 719cd82f35
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
dlls/wininet/http.c
View File

@ -1982,11 +1982,20 @@ BOOL WINAPI HttpQueryInfoA(HINTERNET hHttpRequest, DWORD dwInfoLevel,
if (lpBuffer)
{
DWORD alloclen;
len = (*lpdwBufferLength)*sizeof(WCHAR);
bufferW = HeapAlloc( GetProcessHeap(), 0, len );
if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
{
alloclen = MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, NULL, 0 ) * sizeof(WCHAR);
if (alloclen < len)
alloclen = len;
}
else
alloclen = len;
bufferW = HeapAlloc( GetProcessHeap(), 0, alloclen );
/* buffer is in/out because of HTTP_QUERY_CUSTOM */
if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
MultiByteToWideChar(CP_ACP,0,lpBuffer,-1,bufferW,len);
MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, bufferW, alloclen / sizeof(WCHAR) );
} else
{
bufferW = NULL;