From 216d4c0834d4e9e52e18821b85706c4fa77ffe17 Mon Sep 17 00:00:00 2001 From: Hans Leidekker Date: Sat, 19 Jul 2008 19:55:52 +0200 Subject: [PATCH] wininet: Fix cookie buffer overflow. Spotted by Yann Droneaud. --- dlls/wininet/http.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c index 154dc97641d..2a786708e29 100644 --- a/dlls/wininet/http.c +++ b/dlls/wininet/http.c @@ -3124,11 +3124,11 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr) { static const WCHAR szUrlForm[] = {'h','t','t','p',':','/','/','%','s',0}; LPWSTR lpszCookies, lpszUrl = NULL; - DWORD nCookieSize, len; + DWORD nCookieSize, size; LPHTTPHEADERW Host = HTTP_GetHeader(lpwhr,szHost); - len = lstrlenW(Host->lpszValue) + strlenW(szUrlForm); - lpszUrl = HeapAlloc(GetProcessHeap(), 0, len*sizeof(WCHAR)); + size = (strlenW(Host->lpszValue) + strlenW(szUrlForm)) * sizeof(WCHAR); + if (!(lpszUrl = HeapAlloc(GetProcessHeap(), 0, size))) return; sprintfW( lpszUrl, szUrlForm, Host->lpszValue ); if (InternetGetCookieW(lpszUrl, NULL, NULL, &nCookieSize)) @@ -3137,15 +3137,16 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr) static const WCHAR szCookie[] = {'C','o','o','k','i','e',':',' ',0}; static const WCHAR szcrlf[] = {'\r','\n',0}; - lpszCookies = HeapAlloc(GetProcessHeap(), 0, (nCookieSize + 1 + 8)*sizeof(WCHAR)); - - cnt += sprintfW(lpszCookies, szCookie); - InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize); - strcatW(lpszCookies, szcrlf); + size = sizeof(szCookie) + nCookieSize * sizeof(WCHAR) + sizeof(szcrlf); + if ((lpszCookies = HeapAlloc(GetProcessHeap(), 0, size))) + { + cnt += sprintfW(lpszCookies, szCookie); + InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize); + strcatW(lpszCookies, szcrlf); - HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies), - HTTP_ADDREQ_FLAG_ADD); - HeapFree(GetProcessHeap(), 0, lpszCookies); + HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies), HTTP_ADDREQ_FLAG_ADD); + HeapFree(GetProcessHeap(), 0, lpszCookies); + } } HeapFree(GetProcessHeap(), 0, lpszUrl); } -- 2.11.4.GIT