From 85e9e21929745269685d523421378239b1f3a7ea Mon Sep 17 00:00:00 2001
From: Hans Leidekker <hans@codeweavers.com>
Date: Tue, 27 Sep 2011 11:40:33 +0200
Subject: [PATCH] wininet: Ignore the accept types array in HttpOpenRequestA if
 there are invalid pointers.

---
 dlls/wininet/http.c       | 117 +++++++++++++++++++-------------------
 dlls/wininet/tests/http.c |  13 +++--
 2 files changed, 66 insertions(+), 64 deletions(-)

diff --git a/dlls/wininet/http.c b/dlls/wininet/http.c
index 772aba6126c..50630ba8dbf 100644
--- a/dlls/wininet/http.c
+++ b/dlls/wininet/http.c
@@ -1347,6 +1347,60 @@ BOOL WINAPI HttpAddRequestHeadersA(HINTERNET hHttpRequest,
     return r;
 }
 
+static void free_accept_types( WCHAR **accept_types )
+{
+    WCHAR *ptr, **types = accept_types;
+
+    if (!types) return;
+    while ((ptr = *types))
+    {
+        heap_free( ptr );
+        types++;
+    }
+    heap_free( accept_types );
+}
+
+static WCHAR **convert_accept_types( const char **accept_types )
+{
+    unsigned int count;
+    const char **types = accept_types;
+    WCHAR **typesW;
+    BOOL invalid_pointer = FALSE;
+
+    if (!types) return NULL;
+    count = 0;
+    while (*types)
+    {
+        __TRY
+        {
+            /* find out how many there are */
+            if (*types && **types)
+            {
+                TRACE("accept type: %s\n", debugstr_a(*types));
+                count++;
+            }
+        }
+        __EXCEPT_PAGE_FAULT
+        {
+            WARN("invalid accept type pointer\n");
+            invalid_pointer = TRUE;
+        }
+        __ENDTRY;
+        types++;
+    }
+    if (invalid_pointer) return NULL;
+    if (!(typesW = heap_alloc( sizeof(WCHAR *) * (count + 1) ))) return NULL;
+    count = 0;
+    types = accept_types;
+    while (*types)
+    {
+        if (*types && **types) typesW[count++] = heap_strdupAtoW( *types );
+        types++;
+    }
+    typesW[count] = NULL;
+    return typesW;
+}
+
 /***********************************************************************
  *           HttpOpenRequestA (WININET.@)
  *
@@ -1364,9 +1418,7 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
 {
     LPWSTR szVerb = NULL, szObjectName = NULL;
     LPWSTR szVersion = NULL, szReferrer = NULL, *szAcceptTypes = NULL;
-    INT acceptTypesCount;
     HINTERNET rc = FALSE;
-    LPCSTR *types;
 
     TRACE("(%p, %s, %s, %s, %s, %p, %08x, %08lx)\n", hHttpSession,
           debugstr_a(lpszVerb), debugstr_a(lpszObjectName),
@@ -1401,65 +1453,12 @@ HINTERNET WINAPI HttpOpenRequestA(HINTERNET hHttpSession,
             goto end;
     }
 
-    if (lpszAcceptTypes)
-    {
-        acceptTypesCount = 0;
-        types = lpszAcceptTypes;
-        while (*types)
-        {
-            __TRY
-            {
-                /* find out how many there are */
-                if (*types && **types)
-                {
-                    TRACE("accept type: %s\n", debugstr_a(*types));
-                    acceptTypesCount++;
-                }
-            }
-            __EXCEPT_PAGE_FAULT
-            {
-                WARN("invalid accept type pointer\n");
-            }
-            __ENDTRY;
-            types++;
-        }
-        szAcceptTypes = heap_alloc(sizeof(WCHAR *) * (acceptTypesCount+1));
-        if (!szAcceptTypes) goto end;
-
-        acceptTypesCount = 0;
-        types = lpszAcceptTypes;
-        while (*types)
-        {
-            __TRY
-            {
-                if (*types && **types)
-                    szAcceptTypes[acceptTypesCount++] = heap_strdupAtoW(*types);
-            }
-            __EXCEPT_PAGE_FAULT
-            {
-                /* ignore invalid pointer */
-            }
-            __ENDTRY;
-            types++;
-        }
-        szAcceptTypes[acceptTypesCount] = NULL;
-    }
-
-    rc = HttpOpenRequestW(hHttpSession, szVerb, szObjectName,
-                          szVersion, szReferrer,
-                          (LPCWSTR*)szAcceptTypes, dwFlags, dwContext);
+    szAcceptTypes = convert_accept_types( lpszAcceptTypes );
+    rc = HttpOpenRequestW(hHttpSession, szVerb, szObjectName, szVersion, szReferrer,
+                          (const WCHAR **)szAcceptTypes, dwFlags, dwContext);
 
 end:
-    if (szAcceptTypes)
-    {
-        acceptTypesCount = 0;
-        while (szAcceptTypes[acceptTypesCount])
-        {
-            heap_free(szAcceptTypes[acceptTypesCount]);
-            acceptTypesCount++;
-        }
-        heap_free(szAcceptTypes);
-    }
+    free_accept_types(szAcceptTypes);
     heap_free(szReferrer);
     heap_free(szVersion);
     heap_free(szObjectName);
diff --git a/dlls/wininet/tests/http.c b/dlls/wininet/tests/http.c
index f3e85cb3da7..881f1e62540 100644
--- a/dlls/wininet/tests/http.c
+++ b/dlls/wininet/tests/http.c
@@ -3085,7 +3085,7 @@ static void test_bogus_accept_types_array(void)
 {
     HINTERNET ses, con, req;
     static const char *types[] = { (const char *)6240, "*/*", "%p", "", (const char *)0xffffffff, "*/*", NULL };
-    DWORD size;
+    DWORD size, error;
     char buffer[32];
     BOOL ret;
 
@@ -3097,11 +3097,14 @@ static void test_bogus_accept_types_array(void)
 
     buffer[0] = 0;
     size = sizeof(buffer);
+    SetLastError(0xdeadbeef);
     ret = HttpQueryInfo(req, HTTP_QUERY_ACCEPT | HTTP_QUERY_FLAG_REQUEST_HEADERS, buffer, &size, NULL);
-    ok(ret, "HttpQueryInfo failed: %u\n", GetLastError());
-    ok(!strcmp(buffer, ", */*, %p, , , */*") || /* IE6 */
-       !strcmp(buffer, "*/*, %p, */*"),
-       "got '%s' expected '*/*, %%p, */*' or ', */*, %%p, , , */*'\n", buffer);
+    error = GetLastError();
+    ok(!ret || broken(ret), "HttpQueryInfo succeeded\n");
+    if (!ret) ok(error == ERROR_HTTP_HEADER_NOT_FOUND, "expected ERROR_HTTP_HEADER_NOT_FOUND, got %u\n", error);
+    ok(broken(!strcmp(buffer, ", */*, %p, , , */*")) /* IE6 */ ||
+       broken(!strcmp(buffer, "*/*, %p, */*")) /* IE7/8 */ ||
+       !strcmp(buffer, ""), "got '%s' expected ''\n", buffer);
 
     InternetCloseHandle(req);
     InternetCloseHandle(con);