From 9854f20f1c38644616961f6339f6ee0ebbc0d70d Mon Sep 17 00:00:00 2001
From: Christoph von Wittich <christoph_vw@reactos.org>
Date: Mon, 6 Apr 2009 15:42:28 +0000
Subject: [PATCH] wininet: Fixed memory corruption in urlcache. Author: Marcus
 Meissner <marcus at jet.franken.de> Date:   Sun Apr  5 13:55:21 2009 +0200

svn path=/trunk/; revision=40398
---
 reactos/dll/win32/wininet/urlcache.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/reactos/dll/win32/wininet/urlcache.c b/reactos/dll/win32/wininet/urlcache.c
index 75bcf342d3f..d0369289a2f 100644
--- a/reactos/dll/win32/wininet/urlcache.c
+++ b/reactos/dll/win32/wininet/urlcache.c
@@ -980,11 +980,13 @@ static BOOL URLCache_CopyEntry(
     /* FIXME: is source url optional? */
     if (*lpdwBufferSize >= dwRequiredSize)
     {
-        lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrl - 1;
-        if (bUnicode)
-            MultiByteToWideChar(CP_ACP, 0, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, -1, (LPWSTR)lpCacheEntryInfo->lpszSourceUrlName, lenUrl + 1);
-        else
-            memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, (lenUrl + 1) * sizeof(CHAR));
+        DWORD lenUrlBytes = (lenUrl+1) * (bUnicode ? sizeof(WCHAR) : sizeof(CHAR));
+
+        lpCacheEntryInfo->lpszSourceUrlName = (LPSTR)lpCacheEntryInfo + dwRequiredSize - lenUrlBytes;
+         if (bUnicode)
+             MultiByteToWideChar(CP_ACP, 0, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, -1, (LPWSTR)lpCacheEntryInfo->lpszSourceUrlName, lenUrl + 1);
+         else
+            memcpy(lpCacheEntryInfo->lpszSourceUrlName, (LPSTR)pUrlEntry + pUrlEntry->dwOffsetUrl, lenUrlBytes);
     }
 
     if ((dwRequiredSize % 4) && (dwRequiredSize < *lpdwBufferSize))