Re: Wininet Buffer Length Fixes
Robert Shearman <rob(a)codeweavers.com> writes:
--- wine/dlls/wininet/http.c 4 Jul 2004 00:24:47 -0000 1.65 +++ wine/dlls/wininet/http.c 13 Jul 2004 16:23:11 -0000 @@ -1131,8 +1186,8 @@ if( result ) { len = WideCharToMultiByte( CP_ACP,0, bufferW, len / sizeof(WCHAR), - lpBuffer, *lpdwBufferLength, NULL, NULL ); - *lpdwBufferLength = len * sizeof(WCHAR); + lpBuffer, *lpdwBufferLength+1, NULL, NULL ); + *lpdwBufferLength = (len-1) * sizeof(CHAR);
It seems to me this would potentially write beyond the end of the buffer, that doesn't look right. -- Alexandre Julliard julliard(a)winehq.org
Alexandre Julliard wrote:
Robert Shearman <rob(a)codeweavers.com> writes:
--- wine/dlls/wininet/http.c 4 Jul 2004 00:24:47 -0000 1.65 +++ wine/dlls/wininet/http.c 13 Jul 2004 16:23:11 -0000 @@ -1131,8 +1186,8 @@ if( result ) { len = WideCharToMultiByte( CP_ACP,0, bufferW, len / sizeof(WCHAR), - lpBuffer, *lpdwBufferLength, NULL, NULL ); - *lpdwBufferLength = len * sizeof(WCHAR); + lpBuffer, *lpdwBufferLength+1, NULL, NULL ); + *lpdwBufferLength = (len-1) * sizeof(CHAR);
It seems to me this would potentially write beyond the end of the buffer, that doesn't look right.
From: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/win... In the case of a string, the byte count does not include the string's terminating null character. Since WideCharToMultiByte returns the number of bytes written including the null terminator it is required to take one away from it, although the misleading *sizeof(CHAR) can be removed. Rob
Robert Shearman <rob(a)codeweavers.com> writes:
In the case of a string, the byte count does not include the string's terminating null character.
Since WideCharToMultiByte returns the number of bytes written including the null terminator it is required to take one away from it, although the misleading *sizeof(CHAR) can be removed.
I meant the line above, where you use *lpdwBufferLength+1, this will overflow the buffer. Note that since len doesn't include the terminating NULL, converting len/sizeof(WCHAR) characters won't get you a terminating NULL even with a larger dest buffer. -- Alexandre Julliard julliard(a)winehq.org
participants (2)
-
Alexandre Julliard -
Robert Shearman