Hans Leidekker : wininet: Deal with bogus accept types array passed into HttpOpenRequestA.

Wed May 7 13:28:10 CDT 2008

Module: wine
Branch: master
Commit: 493b6915caf78f180dfa244ab8a27f17be724c90
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=493b6915caf78f180dfa244ab8a27f17be724c90

Author: Hans Leidekker <hans at it.vu.nl>
Date:   Wed May  7 13:19:37 2008 +0200

wininet: Deal with bogus accept types array passed into HttpOpenRequestA.

---

 dlls/wininet/http.c       |   44 +++++++++++++++++++++++++++++---------------
 dlls/wininet/tests/http.c |   26 ++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 15 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 7f336f4..3cafcae 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -964,9 +964,10 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
 {
     LPWSTR szVerb = NULL, szObjectName = NULL;
     LPWSTR szVersion = NULL, szReferrer = NULL, *szAcceptTypes = NULL;
-    INT len;
-    INT acceptTypesCount;
+    INT len, acceptTypesCount;
     HINTERNET rc = FALSE;
+    LPCSTR *types;
+
     TRACE("(%p, %s, %s, %s, %s, %p, %08x, %08lx)\n", hHttpSession,
           debugstr_a(lpszVerb), debugstr_a(lpszObjectName),
           debugstr_a(lpszVersion), debugstr_a(lpszReferrer), lpszAcceptTypes,
@@ -1008,24 +1009,37 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
         MultiByteToWideChar(CP_ACP, 0, lpszReferrer, -1, szReferrer, len );
     }
 
-    acceptTypesCount = 0;
     if (lpszAcceptTypes)
     {
-        /* find out how many there are */
-        while (lpszAcceptTypes[acceptTypesCount] && *lpszAcceptTypes[acceptTypesCount])
-            acceptTypesCount++;
+        acceptTypesCount = 0;
+        types = lpszAcceptTypes;
+        while (*types)
+        {
+            /* find out how many there are */
+            if (((ULONG_PTR)*types >> 16) && **types)
+            {
+                TRACE("accept type: %s\n", debugstr_a(*types));
+                acceptTypesCount++;
+            }
+            types++;
+        }
         szAcceptTypes = HeapAlloc(GetProcessHeap(), 0, sizeof(WCHAR *) * (acceptTypesCount+1));
+        if (!szAcceptTypes) goto end;
+
         acceptTypesCount = 0;
-        while (lpszAcceptTypes[acceptTypesCount] && *lpszAcceptTypes[acceptTypesCount])
+        types = lpszAcceptTypes;
+        while (*types)
         {
-            len = MultiByteToWideChar(CP_ACP, 0, lpszAcceptTypes[acceptTypesCount],
-                                -1, NULL, 0 );
-            szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
-            if (!szAcceptTypes[acceptTypesCount] )
-                goto end;
-            MultiByteToWideChar(CP_ACP, 0, lpszAcceptTypes[acceptTypesCount],
-                                -1, szAcceptTypes[acceptTypesCount], len );
-            acceptTypesCount++;
+            if (((ULONG_PTR)*types >> 16) && **types)
+            {
+                len = MultiByteToWideChar(CP_ACP, 0, *types, -1, NULL, 0 );
+                szAcceptTypes[acceptTypesCount] = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
+                if (!szAcceptTypes[acceptTypesCount]) goto end;
+
+                MultiByteToWideChar(CP_ACP, 0, *types, -1, szAcceptTypes[acceptTypesCount], len);
+                acceptTypesCount++;
+            }
+            types++;
         }
         szAcceptTypes[acceptTypesCount] = NULL;
     }
diff --git a/dlls/wininet/tests/http.c b/dlls/wininet/tests/http.c
index f1a67ca..705fcac 100644
--- a/dlls/wininet/tests/http.c
+++ b/dlls/wininet/tests/http.c
@@ -1746,6 +1746,31 @@ static void test_user_agent_header(void)
     InternetCloseHandle(ses);
 }
 
+static void test_bogus_accept_types_array(void)
+{
+    HINTERNET ses, con, req;
+    static const char *types[] = { (const char *)6240, "*/*", "%p", "", "*/*", NULL };
+    DWORD size;
+    char buffer[32];
+    BOOL ret;
+
+    ses = InternetOpen("MERONG(0.9/;p)", INTERNET_OPEN_TYPE_DIRECT, "", "", 0);
+    con = InternetConnect(ses, "www.winehq.org", 80, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
+    req = HttpOpenRequest(con, "POST", "/post/post_action.php", "HTTP/1.0", "", types, INTERNET_FLAG_FORMS_SUBMIT, 0);
+
+    ok(req != NULL, "HttpOpenRequest failed: %u\n", GetLastError());
+
+    buffer[0] = 0;
+    size = sizeof(buffer);
+    ret = HttpQueryInfo(req, HTTP_QUERY_ACCEPT | HTTP_QUERY_FLAG_REQUEST_HEADERS, buffer, &size, NULL);
+    ok(ret, "HttpQueryInfo failed: %u\n", GetLastError());
+    ok(!strcmp(buffer, "*/*, %p, */*"), "got '%s' expected '*/*, %%p, */*'\n", buffer);
+
+    InternetCloseHandle(req);
+    InternetCloseHandle(con);
+    InternetCloseHandle(ses);
+}
+
 #define STATUS_STRING(status) \
     memcpy(status_string[status], #status, sizeof(CHAR) * \
            (strlen(#status) < MAX_STATUS_NAME ? \
@@ -1821,4 +1846,5 @@ START_TEST(http)
     HttpHeaders_test();
     test_http_connection();
     test_user_agent_header();
+    test_bogus_accept_types_array();
 }


