Rob Shearman : wininet: Fix potential buffer overrun in HttpQueryInfoA. - wine-commits

19 Feb 2008

Module: wine
Branch: master
Commit: 719cd82f3584dd6a863f0b7d2fca429e24d3bdca
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=719cd82f3584dd6a863f0b7d2f...
Author: Rob Shearman rob@codeweavers.com
Date:   Mon Feb 18 19:37:35 2008 +0000
wininet: Fix potential buffer overrun in HttpQueryInfoA.
If HTTP_QUERY_CUSTOM is specified then the buffer contains a
null-terminated string on input and data of length len on output. The
code wasn't taking into account that the input len could be less than
the length of the string and thus could result in the allocated buffer
being overrun with the call to WideCharToMultiByte.
---
dlls/wininet/http.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 9e02d69..f27f828 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -1982,11 +1982,20 @@ BOOL WINAPI HttpQueryInfoA(HINTERNET hHttpRequest, DWORD dwInfoLevel,
if (lpBuffer)
     {
+        DWORD alloclen;
         len = (*lpdwBufferLength)*sizeof(WCHAR);
-        bufferW = HeapAlloc( GetProcessHeap(), 0, len );
+        if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
+        {
+            alloclen = MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, NULL, 0 ) * sizeof(WCHAR);
+            if (alloclen < len)
+                alloclen = len;
+        }
+        else
+            alloclen = len;
+        bufferW = HeapAlloc( GetProcessHeap(), 0, alloclen );
         /* buffer is in/out because of HTTP_QUERY_CUSTOM */
         if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
-            MultiByteToWideChar(CP_ACP,0,lpBuffer,-1,bufferW,len);
+            MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, bufferW, alloclen / sizeof(WCHAR) );
     } else
     {
         bufferW = NULL;

    