Hans Leidekker : wininet: Deal with bogus accept types array passed into HttpOpenRequestA.
Alexandre Julliard
julliard at winehq.org
Wed May 7 13:28:10 CDT 2008
Module: wine
Branch: master
Commit: 493b6915caf78f180dfa244ab8a27f17be724c90
URL: http://source.winehq.org/git/wine.git/?a=commit;h=493b6915caf78f180dfa244ab8a27f17be724c90
Author: Hans Leidekker <hans at it.vu.nl>
Date: Wed May 7 13:19:37 2008 +0200
wininet: Deal with bogus accept types array passed into HttpOpenRequestA.
---
dlls/wininet/http.c | 44 +++++++++++++++++++++++++++++---------------
dlls/wininet/tests/http.c | 26 ++++++++++++++++++++++++++
2 files changed, 55 insertions(+), 15 deletions(-)
diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 7f336f4..3cafcae 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -964,9 +964,10 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
{
LPWSTR szVerb = NULL, szObjectName = NULL;
LPWSTR szVersion = NULL, szReferrer = NULL, *szAcceptTypes = NULL;
- INT len;
- INT acceptTypesCount;
+ INT len, acceptTypesCount;
HINTERNET rc = FALSE;
+ LPCSTR *types;
+
TRACE("(%p, %s, %s, %s, %s, %p, %08x, %08lx)\n", hHttpSession,
debugstr_a(lpszVerb), debugstr_a(lpszObjectName),
debugstr_a(lpszVersion), debugstr_a(lpszReferrer), lpszAcceptTypes,
@@ -1008,24 +1009,37 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
MultiByteToWideChar(CP_ACP, 0, lpszReferrer, -1, szReferrer, len );
}
- acceptTypesCount = 0;
if (lpszAcceptTypes)
{
- /* find out how many there are */
- while (lpszAcceptTypes[acceptTypesCount] && *lpszAcceptTypes[acceptTypesCount])
- acceptTypesCount++;
+ acceptTypesCount = 0;
+ types = lpszAcceptTypes;
+ while (*types)
+ {
+ /* find out how many there are */
+ if (((ULONG_PTR)*types >> 16) && **types)
+ {
+ TRACE("accept type: %s\n", debugstr_a(*types));
+ acceptTypesCount++;
+ }
+ types++;
+ }
szAcceptTypes = HeapAlloc(GetProcessHeap(), 0, sizeof(WCHAR *) * (acceptTypesCount+1));
+ if (!szAcceptTypes) goto end;
+
acceptTypesCount = 0;
- while (lpszAcceptTypes[acceptTypesCount] && *lpszAcceptTypes[acceptTypesCount])
+ types = lpszAcceptTypes;
+ while (*types)
{
- len = MultiByteToWideChar(CP_ACP, 0, lpszAcceptTypes[acceptTypesCount],
- -1, NULL, 0 );
- szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
- if (!szAcceptTypes[acceptTypesCount] )
- goto end;
- MultiByteToWideChar(CP_ACP, 0, lpszAcceptTypes[acceptTypesCount],
- -1, szAcceptTypes[acceptTypesCount], len );
- acceptTypesCount++;
+ if (((ULONG_PTR)*types >> 16) && **types)
+ {
+ len = MultiByteToWideChar(CP_ACP, 0, *types, -1, NULL, 0 );
+ szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
+ if (!szAcceptTypes[acceptTypesCount]) goto end;
+
+ MultiByteToWideChar(CP_ACP, 0, *types, -1, szAcceptTypes[acceptTypesCount], len);
+ acceptTypesCount++;
+ }
+ types++;
}
szAcceptTypes[acceptTypesCount] = NULL;
}
diff --git a/dlls/wininet/tests/http.c b/dlls/wininet/tests/http.c
index f1a67ca..705fcac 100644
--- a/dlls/wininet/tests/http.c
+++ b/dlls/wininet/tests/http.c
@@ -1746,6 +1746,31 @@ static void test_user_agent_header(void)
InternetCloseHandle(ses);
}
+static void test_bogus_accept_types_array(void)
+{
+ HINTERNET ses, con, req;
+ static const char *types[] = { (const char *)6240, "*/*", "%p", "", "*/*", NULL };
+ DWORD size;
+ char buffer[32];
+ BOOL ret;
+
+ ses = InternetOpen("MERONG(0.9/;p)", INTERNET_OPEN_TYPE_DIRECT, "", "", 0);
+ con = InternetConnect(ses, "www.winehq.org", 80, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
+ req = HttpOpenRequest(con, "POST", "/post/post_action.php", "HTTP/1.0", "", types, INTERNET_FLAG_FORMS_SUBMIT, 0);
+
+ ok(req != NULL, "HttpOpenRequest failed: %u\n", GetLastError());
+
+ buffer[0] = 0;
+ size = sizeof(buffer);
+ ret = HttpQueryInfo(req, HTTP_QUERY_ACCEPT | HTTP_QUERY_FLAG_REQUEST_HEADERS, buffer, &size, NULL);
+ ok(ret, "HttpQueryInfo failed: %u\n", GetLastError());
+ ok(!strcmp(buffer, "*/*, %p, */*"), "got '%s' expected '*/*, %%p, */*'\n", buffer);
+
+ InternetCloseHandle(req);
+ InternetCloseHandle(con);
+ InternetCloseHandle(ses);
+}
+
#define STATUS_STRING(status) \
memcpy(status_string[status], #status, sizeof(CHAR) * \
(strlen(#status) < MAX_STATUS_NAME ? \
@@ -1821,4 +1846,5 @@ START_TEST(http)
HttpHeaders_test();
test_http_connection();
test_user_agent_header();
+ test_bogus_accept_types_array();
}
More information about the wine-cvs
mailing list