[PATCH 0/2] MR8331: urlmon: Fix out-of-bound access when trying to remove dot segments from URI.

16 Jun 2025


      Dot segments removal in parse_canonicalize makes the assumption that the entire
path part of the URI fits into the output buffer (len is the length the output
URI would have taken had the output buffer been large enough). So when the
output buffer is too small, remove_dot_segments will access out-of-bound.
Considering URI unescaping could be happening at the same time, there is no
simple way to calculate the required output buffer size correctly without
keeping the actual output URI in memory.
* * *
As you can see from the [test results](https://testbot.winehq.org/JobDetails.pl?Key=158742), this seems to be bugged on native. I don't know if we need to replicate native's behavior
-- 
https://gitlab.winehq.org/wine/wine/-/merge_requests/8331

2025

2024

2023

2022

[PATCH 0/2] MR8331: urlmon: Fix out-of-bound access when trying to remove dot segments from URI.