Author: tfaber Date: Mon Oct 5 09:17:21 2015 New Revision: 69455 URL: http://svn.reactos.org/svn/reactos?rev=69455&view=rev Log: [RAPPS] - Fix buffer overflow when displaying the URL in download dialog Modified: trunk/reactos/base/applications/rapps/loaddlg.c Modified: trunk/reactos/base/applications/rapps/loaddlg.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/applications/rapps/lo… ============================================================================== --- trunk/reactos/base/applications/rapps/loaddlg.c [iso-8859-1] (original) +++ trunk/reactos/base/applications/rapps/loaddlg.c [iso-8859-1] Mon Oct 5 09:17:21 2015 @@ -143,27 +143,28 @@ Item = GetDlgItem(This->hDialog, IDC_DOWNLOAD_STATUS); if (Item && szStatusText && wcslen(szStatusText) > 0 && This->UrlHasBeenCopied == FALSE) { - DWORD len = wcslen(szStatusText) * sizeof(WCHAR); - PWSTR buf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, len); + DWORD len = wcslen(szStatusText) + 1; + PWSTR buf = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, len * sizeof(WCHAR)); if (buf) { /* beautify our url for display purposes */ InternetCanonicalizeUrl(szStatusText, buf, &len, ICU_DECODE | ICU_NO_ENCODE); - - /* paste it into our dialog, free the temp buffer - and don't do it again in this instance */ - SendMessageW(Item, WM_SETTEXT, 0, (LPARAM)buf); + } + else + { + /* just use the original */ + buf = (PWSTR)szStatusText; + } + + /* paste it into our dialog and don't do it again in this instance */ + SendMessageW(Item, WM_SETTEXT, 0, (LPARAM)buf); + This->UrlHasBeenCopied = TRUE; + + if (buf != szStatusText) + { HeapFree(GetProcessHeap(), 0, buf); } - else - { - /* our computer is old and rusty and does not have enough ram for this, - use the ugly version and call it a day */ - SendMessageW(Item, WM_SETTEXT, 0, (LPARAM)szStatusText); - } - - This->UrlHasBeenCopied = TRUE; } SetLastError(0);