[PATCH] wininet: Fixed memory corruption in urlcache
Marcus Meissner
marcus at jet.franken.de
Sun Apr 5 06:55:21 CDT 2009
Hi,
Was triggering testfailures in cryptnet. The length
calculation uses wide character count instead of bytes
in one place.
ciao, Marcus
---
dlls/wininet/urlcache.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/dlls/wininet/urlcache.c b/dlls/wininet/urlcache.c
index 3025fa1..921bde5 100644
--- a/dlls/wininet/urlcache.c
+++ b/dlls/wininet/urlcache.c
@@ -995,11 +995,13 @@ static DWORD URLCache_CopyEntry(
/* FIXME: is source url optional? */
if (*lpdwBufferSize >= dwRequiredSize)
{
- lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrl - 1;
+ DWORD lenUrlBytes = (lenUrl+1) * (bUnicode ? sizeof(WCHAR) : sizeof(CHAR));
+
+ lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrlBytes;
if (bUnicode)
MultiByteToWideChar(CP_ACP, 0, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, -1, (LPWSTR)lpCacheEntryInfo->lpszSourceUrlName, lenUrl + 1);
else
- memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, (lenUrl + 1) * sizeof(CHAR));
+ memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, lenUrlBytes);
}
if ((dwRequiredSize % 4) && (dwRequiredSize < *lpdwBufferSize))
--
1.5.6
More information about the wine-patches
mailing list