[PATCH] mshtml: Make sure actual host length matches returned BSTR length
The issue our jscript gets confused by embedded NULs, something like --- var a = "prefix://" + document.location.host + "suffix"; --- can give "prefix://host:80\0\0\0suffix". Signed-off-by: Nikolay Sivov <nsivov(a)codeweavers.com> --- dlls/mshtml/htmllocation.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dlls/mshtml/htmllocation.c b/dlls/mshtml/htmllocation.c index de66ff5670..59b20f614d 100644 --- a/dlls/mshtml/htmllocation.c +++ b/dlls/mshtml/htmllocation.c @@ -351,13 +351,16 @@ static HRESULT WINAPI HTMLLocation_get_host(IHTMLLocation *iface, BSTR *p) if(url.nPort) { /* <hostname>:<port> */ const WCHAR format[] = {'%','u',0}; - DWORD len = url.dwHostNameLength + 1 + 5; + DWORD len, port_len; + WCHAR portW[6]; WCHAR *buf; + port_len = snprintfW(portW, sizeof(portW)/sizeof(portW[0]), format, url.nPort); + len = url.dwHostNameLength + 1 /* ':' */ + port_len; buf = *p = SysAllocStringLen(NULL, len); memcpy(buf, url.lpszHostName, url.dwHostNameLength * sizeof(WCHAR)); buf[url.dwHostNameLength] = ':'; - snprintfW(buf + url.dwHostNameLength + 1, 6, format, url.nPort); + memcpy(buf + url.dwHostNameLength + 1, portW, port_len * sizeof(WCHAR)); }else *p = SysAllocStringLen(url.lpszHostName, url.dwHostNameLength); -- 2.15.0
Hi Nikolay, On 21.11.2017 21:17, Nikolay Sivov wrote:
The issue our jscript gets confused by embedded NULs, something like --- var a = "prefix://" + document.location.host + "suffix"; --- can give "prefix://host:80\0\0\0suffix".
This should be easy to add a test for it, something like: ok(SysStringLen(str) == strlen(test->host), "..."); in test_host should catch the problem. Ideally, the implementation would use IUri instead of InternetCrackUrl, but the patch looks good to me as well. Thanks, Jacek
participants (2)
-
Jacek Caban -
Nikolay Sivov