wininet: Fix potential buffer overrun in HttpQueryInfoA.

If HTTP_QUERY_CUSTOM is specified then the buffer contains a null-terminated string on input and data of length len on output. The code wasn't taking into account that the input len could be less than the length of the string and thus could result in the allocated buffer being overrun with the call to WideCharToMultiByte.

wininet: Fix potential buffer overrun in HttpQueryInfoA.
719cd82f · Rob Shearman · Alexandre Julliard · 39dce046 · 719cd82f
Commit 719cd82f authored Feb 18, 2008 by Rob Shearman Committed by Alexandre Julliard Feb 19, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

http.c dlls/wininet/http.c +11 -2

No files found.
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -1982,11 +1982,20 @@ BOOL WINAPI HttpQueryInfoA(HINTERNET hHttpRequest, DWORD dwInfoLevel,

    if (lpBuffer)
    {
+        DWORD alloclen;
        len = (*lpdwBufferLength)*sizeof(WCHAR);
-        bufferW = HeapAlloc( GetProcessHeap(), 0, len );
+        if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
+        {
+            alloclen = MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, NULL, 0 ) * sizeof(WCHAR);
+            if (alloclen < len)
+                alloclen = len;
+        }
+        else
+            alloclen = len;
+        bufferW = HeapAlloc( GetProcessHeap(), 0, alloclen );
        /* buffer is in/out because of HTTP_QUERY_CUSTOM */
        if ((dwInfoLevel & HTTP_QUERY_HEADER_MASK) == HTTP_QUERY_CUSTOM)
-            MultiByteToWideChar(CP_ACP,0,lpBuffer,-1,bufferW,len);
+            MultiByteToWideChar( CP_ACP, 0, lpBuffer, -1, bufferW, alloclen / sizeof(WCHAR) );
    } else
    {
        bufferW = NULL;