From 719cd82f3584dd6a863f0b7d2fca429e24d3bdca Mon Sep 17 00:00:00 2001
From: Rob Shearman <rob@codeweavers.com>
Date: Mon, 18 Feb 2008 19:37:35 +0000
Subject: [PATCH] wininet: Fix potential buffer overrun in HttpQueryInfoA.

If HTTP_QUERY_CUSTOM is specified then the buffer contains a
null-terminated string on input and data of length len on output. The
code wasn't taking into account that the input len could be less than
the length of the string and thus could result in the allocated buffer
being overrun with the call to WideCharToMultiByte.
---
 dlls/wininet/http.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 9e02d699cc..f27f828040 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -1982,11 +1982,20 @@ BOOL WINAPI HttpQueryInfoA(HINTERNET hHttpRequest, DWORD dwInfoLevel,
 
     if (lpBuffer)
     {
+        DWORD alloclen;
         len = (*lpdwBufferLength)*sizeof(WCHAR);
-        bufferW = HeapAlloc( GetProcessHeap(), 0, len );
+        if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
+        {
+            alloclen = MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, NULL, 0 ) * sizeof(WCHAR);
+            if (alloclen < len)
+                alloclen = len;
+        }
+        else
+            alloclen = len;
+        bufferW = HeapAlloc( GetProcessHeap(), 0, alloclen );
         /* buffer is in/out because of HTTP_QUERY_CUSTOM */
         if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
-            MultiByteToWideChar(CP_ACP,0,lpBuffer,-1,bufferW,len);
+            MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, bufferW, alloclen / sizeof(WCHAR) );
     } else
     {
         bufferW = NULL;