[ros-diffs] [cwittich] 40398: wininet: Fixed memory corruption in urlcache. Author: Marcus Meissner <marcus at jet.franken.de> Date: Sun Apr 5 13:55:21 2009 +0200

Author: cwittich Date: Mon Apr 6 19:42:28 2009 New Revision: 40398 URL: http://svn.reactos.org/svn/reactos?rev=40398&view=rev Log: wininet: Fixed memory corruption in urlcache. Author: Marcus Meissner <marcus at jet.franken.de> Date: Sun Apr 5 13:55:21 2009 +0200 Modified: trunk/reactos/dll/win32/wininet/urlcache.c Modified: trunk/reactos/dll/win32/wininet/urlcache.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/wininet/urlcache… ============================================================================== --- trunk/reactos/dll/win32/wininet/urlcache.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/wininet/urlcache.c [iso-8859-1] Mon Apr 6 19:42:28 2009 @@ -980,11 +980,13 @@ /* FIXME: is source url optional? */ if (*lpdwBufferSize >= dwRequiredSize) { - lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrl - 1; - if (bUnicode) - MultiByteToWideChar(CP_ACP, 0, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, -1, (LPWSTR)lpCacheEntryInfo->lpszSourceUrlName, lenUrl + 1); - else - memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, (lenUrl + 1) * sizeof(CHAR)); + DWORD lenUrlBytes = (lenUrl+1) * (bUnicode ? sizeof(WCHAR) : sizeof(CHAR)); + + lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrlBytes; + if (bUnicode) + MultiByteToWideChar(CP_ACP, 0, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, -1, (LPWSTR)lpCacheEntryInfo->lpszSourceUrlName, lenUrl + 1); + else + memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, lenUrlBytes); } if ((dwRequiredSize % 4) && (dwRequiredSize < *lpdwBufferSize))