From bd805297090da797cff0c6fac3098a00e2ce801e Mon Sep 17 00:00:00 2001 From: Hans Leidekker Date: Fri, 24 Oct 2008 11:08:12 +0200 Subject: [PATCH] wininet: Add an exception handler in HttpOpenRequestA to protect against invalid accept type pointers. --- dlls/wininet/http.c | 37 ++++++++++++++++++++++++++----------- dlls/wininet/tests/http.c | 2 +- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c index 8729df3835..a3d04d9dbf 100644 --- a/dlls/wininet/http.c +++ b/dlls/wininet/http.c @@ -59,6 +59,7 @@ #include "internet.h" #include "wine/debug.h" +#include "wine/exception.h" #include "wine/unicode.h" WINE_DEFAULT_DEBUG_CHANNEL(wininet); @@ -1020,12 +1021,20 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession, types = lpszAcceptTypes; while (*types) { - /* find out how many there are */ - if (((ULONG_PTR)*types >> 16) && **types) + __TRY { - TRACE("accept type: %s\n", debugstr_a(*types)); - acceptTypesCount++; + /* find out how many there are */ + if (*types && **types) + { + TRACE("accept type: %s\n", debugstr_a(*types)); + acceptTypesCount++; + } } + __EXCEPT_PAGE_FAULT + { + WARN("invalid accept type pointer\n"); + } + __ENDTRY; types++; } szAcceptTypes = HeapAlloc(GetProcessHeap(), 0, sizeof(WCHAR *) * (acceptTypesCount+1)); @@ -1035,20 +1044,26 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession, types = lpszAcceptTypes; while (*types) { - if (((ULONG_PTR)*types >> 16) && **types) + __TRY { - len = MultiByteToWideChar(CP_ACP, 0, *types, -1, NULL, 0 ); - szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)); - if (!szAcceptTypes[acceptTypesCount]) goto end; + if (*types && **types) + { + len = MultiByteToWideChar(CP_ACP, 0, *types, -1, NULL, 0 ); + szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)); - MultiByteToWideChar(CP_ACP, 0, *types, -1, szAcceptTypes[acceptTypesCount], len); - acceptTypesCount++; + MultiByteToWideChar(CP_ACP, 0, *types, -1, szAcceptTypes[acceptTypesCount], len); + acceptTypesCount++; + } } + __EXCEPT_PAGE_FAULT + { + /* ignore invalid pointer */ + } + __ENDTRY; types++; } szAcceptTypes[acceptTypesCount] = NULL; } - else szAcceptTypes = 0; rc = HttpOpenRequestW(hHttpSession, szVerb, szObjectName, szVersion, szReferrer, diff --git a/dlls/wininet/tests/http.c b/dlls/wininet/tests/http.c index e01ef20baa..1c686c891b 100644 --- a/dlls/wininet/tests/http.c +++ b/dlls/wininet/tests/http.c @@ -1964,7 +1964,7 @@ static void test_user_agent_header(void) static void test_bogus_accept_types_array(void) { HINTERNET ses, con, req; - static const char *types[] = { (const char *)6240, "*/*", "%p", "", "*/*", NULL }; + static const char *types[] = { (const char *)6240, "*/*", "%p", "", (const char *)0xffffffff, "*/*", NULL }; DWORD size; char buffer[32]; BOOL ret;