projects / reactos.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ebd9d97)
[0.4.8][MSXML3] Fix buffer overflow in BindStatusCallback_GetBindInfo. CORE-14570
authorJoachim Henze <Joachim.Henze@reactos.org>
Tue, 4 Oct 2022 19:00:28 +0000 (21:00 +0200)
committerJoachim Henze <Joachim.Henze@reactos.org>
Tue, 4 Oct 2022 19:00:28 +0000 (21:00 +0200)
On testbots for test "msxml3 : httpreq" we could observe with DPH enabled:
*** Assertion failed: LastEntry->Size != 0
***   Source File: /srv/buildbot/Build_GCCLin_x86/build/sdk/lib/rtl/heap.c, line 675

Fix picked from 0.4.9-dev-756-g 708d26acf396d81fa475f3ce7b70d3346279b133

The fix was also sent to Wine:
https://source.winehq.org/git/wine.git/commit/a64403904dfc50ed81c1a724f9a322e5ae4a025b

dll/win32/msxml3/httprequest.c patch | blob | history

diff --git a/dll/win32/msxml3/httprequest.c b/dll/win32/msxml3/httprequest.c
index 56bc51a..f17148d 100644 (file)
--- a/dll/win32/msxml3/httprequest.c
+++ b/dll/win32/msxml3/httprequest.c
@@ -373,7 +373,7 @@ static HRESULT WINAPI BindStatusCallback_GetBindInfo(IBindStatusCallback *iface,
     pbindinfo->dwBindVerb = This->request->verb;
     if (This->request->verb == BINDVERB_CUSTOM)
     {
-        pbindinfo->szCustomVerb = CoTaskMemAlloc(SysStringByteLen(This->request->custom));
+        pbindinfo->szCustomVerb = CoTaskMemAlloc(SysStringByteLen(This->request->custom)+sizeof(WCHAR));
         strcpyW(pbindinfo->szCustomVerb, This->request->custom);
     }
 
A free Windows-compatible Operating System