Commit bd805297 authored by Hans Leidekker's avatar Hans Leidekker Committed by Alexandre Julliard

wininet: Add an exception handler in HttpOpenRequestA to protect against invalid…

wininet: Add an exception handler in HttpOpenRequestA to protect against invalid accept type pointers.
parent cd434dd9
......@@ -59,6 +59,7 @@
#include "internet.h"
#include "wine/debug.h"
#include "wine/exception.h"
#include "wine/unicode.h"
WINE_DEFAULT_DEBUG_CHANNEL(wininet);
......@@ -1020,12 +1021,20 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
types = lpszAcceptTypes;
while (*types)
{
__TRY
{
/* find out how many there are */
if (((ULONG_PTR)*types >> 16) && **types)
if (*types && **types)
{
TRACE("accept type: %s\n", debugstr_a(*types));
acceptTypesCount++;
}
}
__EXCEPT_PAGE_FAULT
{
WARN("invalid accept type pointer\n");
}
__ENDTRY;
types++;
}
szAcceptTypes = HeapAlloc(GetProcessHeap(), 0, sizeof(WCHAR *) * (acceptTypesCount+1));
......@@ -1035,20 +1044,26 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
types = lpszAcceptTypes;
while (*types)
{
if (((ULONG_PTR)*types >> 16) && **types)
__TRY
{
if (*types && **types)
{
len = MultiByteToWideChar(CP_ACP, 0, *types, -1, NULL, 0 );
szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
if (!szAcceptTypes[acceptTypesCount]) goto end;
MultiByteToWideChar(CP_ACP, 0, *types, -1, szAcceptTypes[acceptTypesCount], len);
acceptTypesCount++;
}
}
__EXCEPT_PAGE_FAULT
{
/* ignore invalid pointer */
}
__ENDTRY;
types++;
}
szAcceptTypes[acceptTypesCount] = NULL;
}
else szAcceptTypes = 0;
rc = HttpOpenRequestW(hHttpSession, szVerb, szObjectName,
szVersion, szReferrer,
......
......@@ -1964,7 +1964,7 @@ static void test_user_agent_header(void)
static void test_bogus_accept_types_array(void)
{
HINTERNET ses, con, req;
static const char *types[] = { (const char *)6240, "*/*", "%p", "", "*/*", NULL };
static const char *types[] = { (const char *)6240, "*/*", "%p", "", (const char *)0xffffffff, "*/*", NULL };
DWORD size;
char buffer[32];
BOOL ret;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment