I am using the UrlUnescape, ShlwAPI function, with URL_DONT_UNESCAPE_EXTRA_INFO flag. However, I noticed that there is a buffer overflow when the input URL size is larger than 260. The MSDN states that "Input strings cannot be longer
than INTERNET_MAX_URL_LENGTH" which for sure isnt the case. This was noticed when I attached the application verifier to the application.
The following is a sample demonstrating this:
<div style="color:Black;background-color:White; <pre>
#include <windows.h>
#include <shlwapi.h>
<span style="color:Blue; int main()
{
<span style="color:Blue; char url[]=<span style="color:#A31515; "http://www.adultdvdtalk.com/enter.asp?"
<span style="color:#A31515; "r=%2Fenter%2Easp%3Fr%3D%252Fenter%252Easp"
<span style="color:#A31515; "%253Fr%253D%25252Fenter%25252Easp"
<span style="color:#A31515; "%25253Fr%25253D%2525252Fenter%2525252Easp"
<span style="color:#A31515; "%2525253Fr%2525253D%252525252Fenter"
<span style="color:#A31515; "%252525252Easp%252525253Fr%252525253D"
<span style="color:#A31515; "%25252525252Fenter%25252525252Easp";
<span style="color:Blue; char url_unes[1025];
DWORD size=1024;
UrlUnescape(url, url_unes, &size,URL_DONT_UNESCAPE_EXTRA_INFO);
<span style="color:Blue; return 0;
}
[/code]
The following is the output produced by the application verifier:
===========================================================
VERIFIER STOP 0000000F: pid 0xD98: corrupted suffix pattern
<span style="white-space
re 00151000 : Heap handle
<span style="white-spacere 0025CA38 : Heap block
<span style="white-spacere 00000104 : Block size
<span style="white-spacere 0025CB3C : corruption address
===========================================================
This verifier stop is not continuable. Process will be terminated
when you use the `go debugger command.
===========================================================
Application verifier has triggered a breakpoint in Test.exe.
----------------------------------------------
Note that: If one reduce the url by only one character the application verifier is not triggered. The url size is 259 (or 260 with the null terminated character). Also note that this happens also if one uses UrlUnescapeW function. Another
interesting thing to point out is that this does not happen if URL_DONT_UNESCAPE_EXTRA_INFO is not used i.e. zero is passed as the flags parameter.
View the full article
than INTERNET_MAX_URL_LENGTH" which for sure isnt the case. This was noticed when I attached the application verifier to the application.
The following is a sample demonstrating this:
<div style="color:Black;background-color:White; <pre>
#include <windows.h>
#include <shlwapi.h>
<span style="color:Blue; int main()
{
<span style="color:Blue; char url[]=<span style="color:#A31515; "http://www.adultdvdtalk.com/enter.asp?"
<span style="color:#A31515; "r=%2Fenter%2Easp%3Fr%3D%252Fenter%252Easp"
<span style="color:#A31515; "%253Fr%253D%25252Fenter%25252Easp"
<span style="color:#A31515; "%25253Fr%25253D%2525252Fenter%2525252Easp"
<span style="color:#A31515; "%2525253Fr%2525253D%252525252Fenter"
<span style="color:#A31515; "%252525252Easp%252525253Fr%252525253D"
<span style="color:#A31515; "%25252525252Fenter%25252525252Easp";
<span style="color:Blue; char url_unes[1025];
DWORD size=1024;
UrlUnescape(url, url_unes, &size,URL_DONT_UNESCAPE_EXTRA_INFO);
<span style="color:Blue; return 0;
}
[/code]
The following is the output produced by the application verifier:
===========================================================
VERIFIER STOP 0000000F: pid 0xD98: corrupted suffix pattern
<span style="white-space
re 00151000 : Heap handle <span style="white-space
re 0025CA38 : Heap block <span style="white-space
re 00000104 : Block size <span style="white-space
re 0025CB3C : corruption address ===========================================================
This verifier stop is not continuable. Process will be terminated
when you use the `go debugger command.
===========================================================
Application verifier has triggered a breakpoint in Test.exe.
----------------------------------------------
Note that: If one reduce the url by only one character the application verifier is not triggered. The url size is 259 (or 260 with the null terminated character). Also note that this happens also if one uses UrlUnescapeW function. Another
interesting thing to point out is that this does not happen if URL_DONT_UNESCAPE_EXTRA_INFO is not used i.e. zero is passed as the flags parameter.
View the full article