Commit 216d4c08 authored by Hans Leidekker's avatar Hans Leidekker Committed by Alexandre Julliard

wininet: Fix cookie buffer overflow.

Spotted by Yann Droneaud.
parent 572b0bab
...@@ -3124,11 +3124,11 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr) ...@@ -3124,11 +3124,11 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr)
{ {
static const WCHAR szUrlForm[] = {'h','t','t','p',':','/','/','%','s',0}; static const WCHAR szUrlForm[] = {'h','t','t','p',':','/','/','%','s',0};
LPWSTR lpszCookies, lpszUrl = NULL; LPWSTR lpszCookies, lpszUrl = NULL;
DWORD nCookieSize, len; DWORD nCookieSize, size;
LPHTTPHEADERW Host = HTTP_GetHeader(lpwhr,szHost); LPHTTPHEADERW Host = HTTP_GetHeader(lpwhr,szHost);
len = lstrlenW(Host->lpszValue) + strlenW(szUrlForm); size = (strlenW(Host->lpszValue) + strlenW(szUrlForm)) * sizeof(WCHAR);
lpszUrl = HeapAlloc(GetProcessHeap(), 0, len*sizeof(WCHAR)); if (!(lpszUrl = HeapAlloc(GetProcessHeap(), 0, size))) return;
sprintfW( lpszUrl, szUrlForm, Host->lpszValue ); sprintfW( lpszUrl, szUrlForm, Host->lpszValue );
if (InternetGetCookieW(lpszUrl, NULL, NULL, &nCookieSize)) if (InternetGetCookieW(lpszUrl, NULL, NULL, &nCookieSize))
...@@ -3137,15 +3137,16 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr) ...@@ -3137,15 +3137,16 @@ static void HTTP_InsertCookies(LPWININETHTTPREQW lpwhr)
static const WCHAR szCookie[] = {'C','o','o','k','i','e',':',' ',0}; static const WCHAR szCookie[] = {'C','o','o','k','i','e',':',' ',0};
static const WCHAR szcrlf[] = {'\r','\n',0}; static const WCHAR szcrlf[] = {'\r','\n',0};
lpszCookies = HeapAlloc(GetProcessHeap(), 0, (nCookieSize + 1 + 8)*sizeof(WCHAR)); size = sizeof(szCookie) + nCookieSize * sizeof(WCHAR) + sizeof(szcrlf);
if ((lpszCookies = HeapAlloc(GetProcessHeap(), 0, size)))
cnt += sprintfW(lpszCookies, szCookie); {
InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize); cnt += sprintfW(lpszCookies, szCookie);
strcatW(lpszCookies, szcrlf); InternetGetCookieW(lpszUrl, NULL, lpszCookies + cnt, &nCookieSize);
strcatW(lpszCookies, szcrlf);
HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies), HTTP_HttpAddRequestHeadersW(lpwhr, lpszCookies, strlenW(lpszCookies), HTTP_ADDREQ_FLAG_ADD);
HTTP_ADDREQ_FLAG_ADD); HeapFree(GetProcessHeap(), 0, lpszCookies);
HeapFree(GetProcessHeap(), 0, lpszCookies); }
} }
HeapFree(GetProcessHeap(), 0, lpszUrl); HeapFree(GetProcessHeap(), 0, lpszUrl);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment