From: Yuxuan Shui yshui@codeweavers.com
Since LPCSTR is signed, (*lpszKey ^ key[i]) could be negative, which means accessing the lookupTable with it will underflow. --- dlls/wininet/urlcache.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/dlls/wininet/urlcache.c b/dlls/wininet/urlcache.c index 366fa0b6bea..4c8a48b2e96 100644 --- a/dlls/wininet/urlcache.c +++ b/dlls/wininet/urlcache.c @@ -1455,17 +1455,18 @@ static DWORD urlcache_hash_key(LPCSTR lpszKey) 0xA3, 0xC8, 0xDE, 0xEB, 0xF8, 0xF3, 0xDB, 0x0A, 0x98, 0x83, 0x7B, 0xE5, 0xCB, 0x4C, 0x78, 0xD1 }; + const BYTE *input = (const BYTE *)lpszKey; BYTE key[4]; DWORD i;
for (i = 0; i < ARRAY_SIZE(key); i++) - key[i] = lookupTable[(*lpszKey + i) & 0xFF]; + key[i] = lookupTable[(*input + i) & 0xFF];
- if (*lpszKey) - for (lpszKey++; *lpszKey; lpszKey++) + if (*input) + for (input++; *input; input++) { for (i = 0; i < ARRAY_SIZE(key); i++) - key[i] = lookupTable[*lpszKey ^ key[i]]; + key[i] = lookupTable[*input ^ key[i]]; }
return *(DWORD *)key; @@ -1492,7 +1493,7 @@ static BOOL urlcache_find_hash_entry(const urlcache_header *pHeader, LPCSTR lpsz * there can be multiple hash tables in the file and the offset to * the next one is stored in the header of the hash table */ - DWORD key = urlcache_hash_key(lpszUrl); + DWORD key = urlcache_hash_key((const BYTE *)lpszUrl); DWORD offset = (key & (HASHTABLE_NUM_ENTRIES-1)) * HASHTABLE_BLOCKSIZE; entry_hash_table* pHashEntry; DWORD id = 0; @@ -1581,7 +1582,7 @@ static DWORD urlcache_hash_entry_create(urlcache_header *pHeader, LPCSTR lpszUrl { /* see urlcache_find_hash_entry for structure of hash tables */
- DWORD key = urlcache_hash_key(lpszUrl); + DWORD key = urlcache_hash_key((const BYTE *)lpszUrl); DWORD offset = (key & (HASHTABLE_NUM_ENTRIES-1)) * HASHTABLE_BLOCKSIZE; entry_hash_table* pHashEntry, *pHashPrev = NULL; DWORD id = 0;