Hans Leidekker : wininet: Fix cookie buffer overflow. - wine-commits

21 Jul 2008

Module: wine
Branch: master
Commit: 216d4c0834d4e9e52e18821b85706c4fa77ffe17
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=216d4c0834d4e9e52e18821b85...
Author: Hans Leidekker hans@meelstraat.net
Date:   Sat Jul 19 19:55:52 2008 +0200
wininet: Fix cookie buffer overflow.
Spotted by Yann Droneaud.
---
dlls/wininet/http.c |   23 ++++++++++++-----------
 1 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 154dc97..2a78670 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -3124,11 +3124,11 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr)
 {
     static const WCHAR szUrlForm[] = {'h','t','t','p',':','/','/','%','s',0};
     LPWSTR lpszCookies, lpszUrl = NULL;
-    DWORD nCookieSize, len;
+    DWORD nCookieSize, size;
     LPHTTPHEADERW Host = HTTP_GetHeader(lpwhr,szHost);
-    len = lstrlenW(Host->lpszValue) + strlenW(szUrlForm);
-    lpszUrl = HeapAlloc(GetProcessHeap(), 0, len*sizeof(WCHAR));
+    size = (strlenW(Host->lpszValue) + strlenW(szUrlForm)) * sizeof(WCHAR);
+    if (!(lpszUrl = HeapAlloc(GetProcessHeap(), 0, size))) return;
     sprintfW( lpszUrl, szUrlForm, Host->lpszValue );
if (InternetGetCookieW(lpszUrl, NULL, NULL, &nCookieSize))
@@ -3137,15 +3137,16 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr)
         static const WCHAR szCookie[] = {'C','o','o','k','i','e',':',' ',0};
         static const WCHAR szcrlf[] = {'\r','\n',0};
-        lpszCookies = HeapAlloc(GetProcessHeap(), 0, (nCookieSize + 1 + 8)*sizeof(WCHAR));
-
-        cnt += sprintfW(lpszCookies, szCookie);
-        InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize);
-        strcatW(lpszCookies, szcrlf);
+        size = sizeof(szCookie) + nCookieSize * sizeof(WCHAR) + sizeof(szcrlf);
+        if ((lpszCookies = HeapAlloc(GetProcessHeap(), 0, size)))
+        {
+            cnt += sprintfW(lpszCookies, szCookie);
+            InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize);
+            strcatW(lpszCookies, szcrlf);
-        HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies),
-                               HTTP_ADDREQ_FLAG_ADD);
-        HeapFree(GetProcessHeap(), 0, lpszCookies);
+            HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies), HTTP_ADDREQ_FLAG_ADD);
+            HeapFree(GetProcessHeap(), 0, lpszCookies);
+        }
     }
     HeapFree(GetProcessHeap(), 0, lpszUrl);
 }

    