[PATCH v3 0/2] MR8331: iertutil: Fix out-of-bound access in remove_dot_segments.
* * * As you can see from the ~~[test results](https://testbot.winehq.org/JobDetails.pl?Key=158742)~~ (link expired), this seems to be bugged on native. I don't know if we need to replicate native's behavior -- v3: iertutil: Fix out-of-bound access in remove_dot_segments. https://gitlab.winehq.org/wine/wine/-/merge_requests/8331
From: Yuxuan Shui <yshui@codeweavers.com> Native handles this poorly. When the buffer isn't large enough for URI unescaping, native will return STATUS_SUCCESS with a 0 output length. Besides that, on <= Windows 10 v1507, there are additional cases where the returned length is 0. This appears to have been fixed in later versions. Unsure if we need bug compatibility here. --- dlls/urlmon/tests/uri.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/dlls/urlmon/tests/uri.c b/dlls/urlmon/tests/uri.c index 4a0ae350b33..ec8a451aba1 100644 --- a/dlls/urlmon/tests/uri.c +++ b/dlls/urlmon/tests/uri.c @@ -8250,6 +8250,9 @@ typedef struct _uri_parse_test { const char *property; HRESULT expected; BOOL todo; + /* Whether CoInternetParseIUri returns S_OK when provided + * with a buffer that's too small. */ + BOOL insufficient_buffer_ok; const char *property2; } uri_parse_test; @@ -8257,7 +8260,8 @@ static const uri_parse_test uri_parse_tests[] = { /* PARSE_CANONICALIZE tests. */ {"zip://google.com/test<|>",0,PARSE_CANONICALIZE,0,"zip://google.com/test<|>",S_OK,FALSE}, {"http://google.com/test<|>",0,PARSE_CANONICALIZE,0,"http://google.com/test%3C%7C%3E",S_OK,FALSE}, - {"http://google.com/%30%23%3F",0,PARSE_CANONICALIZE,URL_UNESCAPE,"http://google.com/0#?",S_OK,FALSE}, + {"http://google.com/%30%23%3F",0,PARSE_CANONICALIZE,URL_UNESCAPE,"http://google.com/0#?",S_OK,FALSE,TRUE}, + {"http://google.com/%30%23%3F/..",0,PARSE_CANONICALIZE,URL_UNESCAPE,"http://google.com/",S_OK,FALSE,TRUE}, {"test <|>",Uri_CREATE_ALLOW_RELATIVE,PARSE_CANONICALIZE,URL_ESCAPE_UNSAFE,"test %3C%7C%3E",S_OK,FALSE}, {"test <|>",Uri_CREATE_ALLOW_RELATIVE,PARSE_CANONICALIZE,URL_ESCAPE_SPACES_ONLY,"test%20<|>",S_OK,FALSE}, {"test%20<|>",Uri_CREATE_ALLOW_RELATIVE,PARSE_CANONICALIZE,URL_UNESCAPE|URL_ESCAPE_UNSAFE,"test%20%3C%7C%3E",S_OK,FALSE}, @@ -8317,7 +8321,7 @@ static const uri_parse_test uri_parse_tests[] = { {"file://server/test",0,PARSE_SITE,0,"server",S_OK,FALSE}, /* PARSE_DOMAIN tests. */ - {"http://google.com.uk/",0,PARSE_DOMAIN,0,"google.com.uk",S_OK,FALSE,"com.uk"}, + {"http://google.com.uk/",0,PARSE_DOMAIN,0,"google.com.uk",S_OK,FALSE,FALSE,"com.uk"}, {"http://google.com.com/",0,PARSE_DOMAIN,0,"com.com",S_OK,FALSE}, {"test/test",Uri_CREATE_ALLOW_RELATIVE,PARSE_DOMAIN,0,"",S_OK,FALSE}, {"file://server/test",0,PARSE_DOMAIN,0,"",S_OK,FALSE}, @@ -11725,9 +11729,25 @@ static void test_CoInternetParseIUri(void) { hr = pCreateUri(uriW, test.uri_flags, 0, &uri); ok(SUCCEEDED(hr), "Error: CreateUri returned 0x%08lx on uri_parse_tests[%ld].\n", hr, i); if(SUCCEEDED(hr)) { - WCHAR result[INTERNET_MAX_URL_LENGTH+1]; + WCHAR result[INTERNET_MAX_URL_LENGTH+1], short_result[1]; DWORD result_len = -1; + if (!test.expected && lstrlenA(test.property) > 1) { + HRESULT expected_hr = test.insufficient_buffer_ok ? 0 : STRSAFE_E_INSUFFICIENT_BUFFER; + DWORD expected_len = test.insufficient_buffer_ok ? 0 : lstrlenA(test.property); + /* test result_len calculation with insufficient buffer. */ + hr = pCoInternetParseIUri(uri, test.action, test.flags, short_result, 1, &result_len, 0); + todo_wine_if(test.insufficient_buffer_ok) + ok(hr == expected_hr, + "Error: CoInternetParseIUri returned 0x%08lx, expected 0x%08lx on uri_parse_tests[%ld].\n", + hr, expected_hr, i); + todo_wine_if(test.insufficient_buffer_ok) + ok((expected_len == result_len || broken(0 == result_len) /* <= win10 v1507 */) || + (test.property2 && lstrlenA(test.property2) == result_len), + "Error: Expected %lu, but got %ld instead on uri_parse_tests[%ld] - %s.\n", + expected_len, result_len, i, wine_dbgstr_w(uriW)); + } + hr = pCoInternetParseIUri(uri, test.action, test.flags, result, INTERNET_MAX_URL_LENGTH+1, &result_len, 0); todo_wine_if(test.todo) ok(hr == test.expected, -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/8331
From: Yuxuan Shui <yshui@codeweavers.com> parse_canonicalize will stop writing into the output buffer when the amount to write exceeded output_len, but it will still call remove_dot_segments and give it a path length that goes past the end of the output buffer, causing it to read out of bound. Additionally, we can't simply reject the input once we exceeded the capacity of the output buffer because dot segments removal might bring the length down within the limit. The current implementation is incorrect in this case since the output has already been cut off. This commit creates a temporary buffer and does dot segments removal first, and then everything else. There is further evidence that this is how native does it too, because if a path segment is "%2E." (%2E is "." when decoded), native will not remove it, which it would have done if dot segments removal happens after unescaping. This is included as an additional uri_parse_test. --- dlls/iertutil/uri.c | 50 +++++++++++++++++++---------------------- dlls/urlmon/tests/uri.c | 1 + 2 files changed, 24 insertions(+), 27 deletions(-) diff --git a/dlls/iertutil/uri.c b/dlls/iertutil/uri.c index 38408c4baf5..847b8e8651c 100644 --- a/dlls/iertutil/uri.c +++ b/dlls/iertutil/uri.c @@ -6332,8 +6332,8 @@ static HRESULT combine_uri(Uri *base, Uri *relative, DWORD flags, IUri **result, static HRESULT parse_canonicalize(const Uri *uri, DWORD flags, LPWSTR output, DWORD output_len, DWORD *result_len) { - const WCHAR *ptr = NULL; - WCHAR *path = NULL; + const WCHAR *ptr = NULL, *end_ptr = NULL; + WCHAR *reduced = NULL; const WCHAR **pptr; DWORD len = 0; BOOL reduce_path; @@ -6354,24 +6354,29 @@ static HRESULT parse_canonicalize(const Uri *uri, DWORD flags, LPWSTR output, reduce_path = !(flags & URL_DONT_SIMPLIFY) && ptr && check_hierarchical(pptr); - for(ptr = uri->canon_uri; ptr < uri->canon_uri+uri->canon_len; ++ptr) { - BOOL do_default_action = TRUE; + /* Reduce path first, otherwise it's difficult to check if the output will exceed + * output_len during escaping/unescaping. */ + if (reduce_path && uri->path_start > -1) + { + DWORD path_end = uri->path_start+uri->path_len, new_path_end; - /* Keep track of the path if we need to remove dot segments from - * it later. - */ - if(reduce_path && !path && ptr == uri->canon_uri+uri->path_start) - path = output+len; + reduced = malloc(sizeof(WCHAR)*uri->canon_len); + if (!reduced) return E_OUTOFMEMORY; - /* Check if it's time to reduce the path. */ - if(reduce_path && ptr == uri->canon_uri+uri->path_start+uri->path_len) { - DWORD current_path_len = (output+len) - path; - DWORD new_path_len = remove_dot_segments(path, current_path_len); + memcpy(reduced, uri->canon_uri, sizeof(WCHAR)*path_end); + new_path_end = uri->path_start+remove_dot_segments(reduced+uri->path_start, uri->path_len); + memcpy(reduced+new_path_end, uri->canon_uri+path_end, sizeof(WCHAR)*(uri->canon_len-path_end)); + ptr = reduced; + end_ptr = ptr+new_path_end+(uri->canon_len-path_end); + } + else + { + ptr = uri->canon_uri; + end_ptr = ptr+uri->canon_len; + } - /* Update the current length. */ - len -= (current_path_len-new_path_len); - reduce_path = FALSE; - } + for(; ptr < end_ptr; ++ptr) { + BOOL do_default_action = TRUE; if(*ptr == '%') { const WCHAR decoded = decode_pct_val(ptr); @@ -6416,16 +6421,7 @@ static HRESULT parse_canonicalize(const Uri *uri, DWORD flags, LPWSTR output, } } - /* Sometimes the path is the very last component of the IUri, so - * see if the dot segments need to be reduced now. - */ - if(reduce_path && path) { - DWORD current_path_len = (output+len) - path; - DWORD new_path_len = remove_dot_segments(path, current_path_len); - - /* Update the current length. */ - len -= (current_path_len-new_path_len); - } + if (reduced) free(reduced); if(len < output_len) output[len] = 0; diff --git a/dlls/urlmon/tests/uri.c b/dlls/urlmon/tests/uri.c index ec8a451aba1..6767f278579 100644 --- a/dlls/urlmon/tests/uri.c +++ b/dlls/urlmon/tests/uri.c @@ -8270,6 +8270,7 @@ static const uri_parse_test uri_parse_tests[] = { {"http://google.com/test/../",Uri_CREATE_NO_CANONICALIZE,PARSE_CANONICALIZE,URL_NO_META,"http://google.com/test/../",S_OK,FALSE}, {"http://google.com/test/../",Uri_CREATE_NO_CANONICALIZE,PARSE_CANONICALIZE,0,"http://google.com/",S_OK,FALSE}, {"zip://google.com/test/../",Uri_CREATE_NO_CANONICALIZE,PARSE_CANONICALIZE,0,"zip://google.com/",S_OK,FALSE}, + {"zip://google.com/test/%2E./",Uri_CREATE_NO_CANONICALIZE,PARSE_CANONICALIZE,URL_UNESCAPE,"zip://google.com/test/../",S_OK,FALSE,TRUE}, {"file:///c:/test/../test",Uri_CREATE_NO_CANONICALIZE,PARSE_CANONICALIZE,URL_DONT_SIMPLIFY,"file:///c:/test/../test",S_OK,FALSE}, /* PARSE_FRIENDLY tests. */ -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/8331
update: check for allocation failure. some minor style fixes. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/8331#note_136823
This merge request was approved by Jacek Caban. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/8331
participants (3)
-
Jacek Caban (@jacek) -
Yuxuan Shui
-
Yuxuan Shui (@yshui)