[PATCH] mshtml: Make sure actual host length matches returned BSTR length
Nikolay Sivov
nsivov at codeweavers.com
Tue Nov 21 14:17:44 CST 2017
The issue our jscript gets confused by embedded NULs, something like
---
var a = "prefix://" + document.location.host + "suffix";
---
can give "prefix://host:80\0\0\0suffix".
Signed-off-by: Nikolay Sivov <nsivov at codeweavers.com>
---
dlls/mshtml/htmllocation.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/dlls/mshtml/htmllocation.c b/dlls/mshtml/htmllocation.c
index de66ff5670..59b20f614d 100644
--- a/dlls/mshtml/htmllocation.c
+++ b/dlls/mshtml/htmllocation.c
@@ -351,13 +351,16 @@ static HRESULT WINAPI HTMLLocation_get_host(IHTMLLocation *iface, BSTR *p)
if(url.nPort) {
/* <hostname>:<port> */
const WCHAR format[] = {'%','u',0};
- DWORD len = url.dwHostNameLength + 1 + 5;
+ DWORD len, port_len;
+ WCHAR portW[6];
WCHAR *buf;
+ port_len = snprintfW(portW, sizeof(portW)/sizeof(portW[0]), format, url.nPort);
+ len = url.dwHostNameLength + 1 /* ':' */ + port_len;
buf = *p = SysAllocStringLen(NULL, len);
memcpy(buf, url.lpszHostName, url.dwHostNameLength * sizeof(WCHAR));
buf[url.dwHostNameLength] = ':';
- snprintfW(buf + url.dwHostNameLength + 1, 6, format, url.nPort);
+ memcpy(buf + url.dwHostNameLength + 1, portW, port_len * sizeof(WCHAR));
}else
*p = SysAllocStringLen(url.lpszHostName, url.dwHostNameLength);
--
2.15.0
More information about the wine-devel
mailing list