The issue our jscript gets confused by embedded NULs, something like --- var a = "prefix://" + document.location.host + "suffix"; --- can give "prefix://host:80\0\0\0suffix".
Signed-off-by: Nikolay Sivov nsivov@codeweavers.com --- dlls/mshtml/htmllocation.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/dlls/mshtml/htmllocation.c b/dlls/mshtml/htmllocation.c index de66ff5670..59b20f614d 100644 --- a/dlls/mshtml/htmllocation.c +++ b/dlls/mshtml/htmllocation.c @@ -351,13 +351,16 @@ static HRESULT WINAPI HTMLLocation_get_host(IHTMLLocation *iface, BSTR *p) if(url.nPort) { /* <hostname>:<port> */ const WCHAR format[] = {'%','u',0}; - DWORD len = url.dwHostNameLength + 1 + 5; + DWORD len, port_len; + WCHAR portW[6]; WCHAR *buf;
+ port_len = snprintfW(portW, sizeof(portW)/sizeof(portW[0]), format, url.nPort); + len = url.dwHostNameLength + 1 /* ':' */ + port_len; buf = *p = SysAllocStringLen(NULL, len); memcpy(buf, url.lpszHostName, url.dwHostNameLength * sizeof(WCHAR)); buf[url.dwHostNameLength] = ':'; - snprintfW(buf + url.dwHostNameLength + 1, 6, format, url.nPort); + memcpy(buf + url.dwHostNameLength + 1, portW, port_len * sizeof(WCHAR)); }else *p = SysAllocStringLen(url.lpszHostName, url.dwHostNameLength);
Hi Nikolay,
On 21.11.2017 21:17, Nikolay Sivov wrote:
The issue our jscript gets confused by embedded NULs, something like
var a = "prefix://" + document.location.host + "suffix";
can give "prefix://host:80\0\0\0suffix".
This should be easy to add a test for it, something like: ok(SysStringLen(str) == strlen(test->host), "..."); in test_host should catch the problem.
Ideally, the implementation would use IUri instead of InternetCrackUrl, but the patch looks good to me as well.
Thanks, Jacek
-
Jacek Caban -
Nikolay Sivov