这是组件代码,用于网页中,大家看有没有漏洞:
upload.h// Upload.h : Declaration of the CUpload#ifndef __UPLOAD_H_
#define __UPLOAD_H_
#include "resource.h" // main symbols/////////////////////////////////////////////////////////////////////////////
// CUpload
struct FormData{
char* name;
char* filename;
char* data;
char* longfilename;
long datalen;
FormData* Prev;
FormData* next;
};
class ATL_NO_VTABLE CUpload :
public CComObjectRootEx<CComSingleThreadModel>,
public CComCoClass<CUpload, &CLSID_Upload>,
public IDispatchImpl<IUpload, &IID_IUpload, &LIBID_QMAILLib>
{
public:
FormData* rtndata;
public:
CUpload()
{
rtndata=NULL;
}DECLARE_REGISTRY_RESOURCEID(IDR_UPLOAD)DECLARE_PROTECT_FINAL_CONSTRUCT()BEGIN_COM_MAP(CUpload)
COM_INTERFACE_ENTRY(IUpload)
COM_INTERFACE_ENTRY(IDispatch)
END_COM_MAP()// IUpload
public:
STDMETHOD(get_Bvalue)(BSTR formdata, /*[out, retval]*/ VARIANT_BOOL *pVal);
STDMETHOD(get_len)(BSTR formdata, /*[out, retval]*/ long *pVal);
STDMETHOD(DelFileAll)();
STDMETHOD(DelFile)(BSTR formdata);
STDMETHOD(SaveFile)(BSTR formdata,BSTR direc, VARIANT* filename);
STDMETHOD(get_value)(BSTR formdata, /*[out, retval]*/ VARIANT *pVal);
STDMETHOD(get_filename)(BSTR formdata, /*[out, retval]*/ BSTR *pVal);
STDMETHOD(init)(VARIANT* data);
private:
char* strfind(char* string1,char* string2,long count);
FormData* GetFormData(char* data,long datalen);
int cmpstr(char* string1,char* string2); };
#endif //__UPLOAD_H_upload.cpp#include "stdafx.h"
#include "Qmail.h"
#include "Upload.h"
/////////////////////////////////////////////////////////////////////////////
// CUpload STDMETHODIMP CUpload::init(VARIANT *data)
{
// TODO: Add your implementation code here
if(data->vt==VT_ERROR)
return S_OK;
char* data1=NULL;
SafeArrayAccessData(data->parray,(void**)&data1);
rtndata=GetFormData(data1,data->parray->cbElements);
SafeArrayUnaccessData(data->parray);
return S_OK;
}//.....
FormData* CUpload::GetFormData(char *data,long datalen)
{
long datalen1=datalen;
FormData* formdata,*formdata1,*formdata2;
formdata=new FormData;
formdata->data="";
formdata->datalen=0;
formdata->filename="";
formdata->name="";
formdata->longfilename="";
formdata->Prev=NULL;
formdata->next=NULL;
formdata1=formdata;
formdata2=formdata;
long lk=0;
char* temp8="";
char* temp7="";
char* temp6="";
if(strstr(data,"\r\n")==NULL)
return formdata;
char* temp=new char[strstr(data,"\r\n")-data+2];
memset(temp,0,strstr(data,"\r\n")-data+2);
strncpy(temp,data,strstr(data,"\r\n")-data+2);
char* temp888=new char[strstr(data,"\r\n")-data];
memset(temp888,0,strstr(data,"\r\n")-data);
strncpy(temp888,data,strstr(data,"\r\n")-data);
char* temp2=data;
while(strstr(temp2,temp)!=NULL)
{
formdata=new FormData;
formdata->datalen=0;
formdata->filename="";
formdata->name="";
formdata->data="";
formdata->longfilename="";
formdata->Prev=formdata1;
formdata->next=NULL;
char* temp3=strstr(temp2,"\r\n\r\n")+4;
long tempj=temp3-data;
datalen1=datalen-tempj;
char* temp99=strfind(temp3,temp888,datalen1);
char* temp4=new char[temp3-temp2];
memset(temp4,0,temp3-temp2);
strncpy(temp4,temp2,temp3-temp2);
char* temp5=strstr(temp4,"name=\"")+6;
if(temp5==NULL)
goto xxx;
temp6=strstr(temp5,"\"");
if(temp6==NULL)
goto xxx;
formdata->name=new char[temp6-temp5+1];
memset(formdata->name,0,temp6-temp5+1);
strncpy(formdata->name,temp5,temp6-temp5);
if(strrchr(temp6,'\\')==NULL)
goto yyy;
temp7=strrchr(temp6,'\\')+1;
temp8=strstr(temp7,"\"");
if(temp8==NULL)
goto yyy;
formdata->filename=new char[temp8-temp7+1];
memset(formdata->filename,0,temp8-temp7+1);
strncpy(formdata->filename,temp7,temp8-temp7);
yyy: if(temp99!=NULL)
{
lk=temp99-temp3-2;
if(lk>0)
{
formdata->data=new char[lk+1];
memset(formdata->data,0,lk+1);
memcpy(formdata->data,temp3,lk);
formdata->datalen=lk;
}
}
xxx:temp2=temp99;
formdata1->next=formdata;
formdata1=formdata;
}
formdata=formdata2;
return formdata;
}
//......
upload.h// Upload.h : Declaration of the CUpload#ifndef __UPLOAD_H_
#define __UPLOAD_H_
#include "resource.h" // main symbols/////////////////////////////////////////////////////////////////////////////
// CUpload
struct FormData{
char* name;
char* filename;
char* data;
char* longfilename;
long datalen;
FormData* Prev;
FormData* next;
};
class ATL_NO_VTABLE CUpload :
public CComObjectRootEx<CComSingleThreadModel>,
public CComCoClass<CUpload, &CLSID_Upload>,
public IDispatchImpl<IUpload, &IID_IUpload, &LIBID_QMAILLib>
{
public:
FormData* rtndata;
public:
CUpload()
{
rtndata=NULL;
}DECLARE_REGISTRY_RESOURCEID(IDR_UPLOAD)DECLARE_PROTECT_FINAL_CONSTRUCT()BEGIN_COM_MAP(CUpload)
COM_INTERFACE_ENTRY(IUpload)
COM_INTERFACE_ENTRY(IDispatch)
END_COM_MAP()// IUpload
public:
STDMETHOD(get_Bvalue)(BSTR formdata, /*[out, retval]*/ VARIANT_BOOL *pVal);
STDMETHOD(get_len)(BSTR formdata, /*[out, retval]*/ long *pVal);
STDMETHOD(DelFileAll)();
STDMETHOD(DelFile)(BSTR formdata);
STDMETHOD(SaveFile)(BSTR formdata,BSTR direc, VARIANT* filename);
STDMETHOD(get_value)(BSTR formdata, /*[out, retval]*/ VARIANT *pVal);
STDMETHOD(get_filename)(BSTR formdata, /*[out, retval]*/ BSTR *pVal);
STDMETHOD(init)(VARIANT* data);
private:
char* strfind(char* string1,char* string2,long count);
FormData* GetFormData(char* data,long datalen);
int cmpstr(char* string1,char* string2); };
#endif //__UPLOAD_H_upload.cpp#include "stdafx.h"
#include "Qmail.h"
#include "Upload.h"
/////////////////////////////////////////////////////////////////////////////
// CUpload STDMETHODIMP CUpload::init(VARIANT *data)
{
// TODO: Add your implementation code here
if(data->vt==VT_ERROR)
return S_OK;
char* data1=NULL;
SafeArrayAccessData(data->parray,(void**)&data1);
rtndata=GetFormData(data1,data->parray->cbElements);
SafeArrayUnaccessData(data->parray);
return S_OK;
}//.....
FormData* CUpload::GetFormData(char *data,long datalen)
{
long datalen1=datalen;
FormData* formdata,*formdata1,*formdata2;
formdata=new FormData;
formdata->data="";
formdata->datalen=0;
formdata->filename="";
formdata->name="";
formdata->longfilename="";
formdata->Prev=NULL;
formdata->next=NULL;
formdata1=formdata;
formdata2=formdata;
long lk=0;
char* temp8="";
char* temp7="";
char* temp6="";
if(strstr(data,"\r\n")==NULL)
return formdata;
char* temp=new char[strstr(data,"\r\n")-data+2];
memset(temp,0,strstr(data,"\r\n")-data+2);
strncpy(temp,data,strstr(data,"\r\n")-data+2);
char* temp888=new char[strstr(data,"\r\n")-data];
memset(temp888,0,strstr(data,"\r\n")-data);
strncpy(temp888,data,strstr(data,"\r\n")-data);
char* temp2=data;
while(strstr(temp2,temp)!=NULL)
{
formdata=new FormData;
formdata->datalen=0;
formdata->filename="";
formdata->name="";
formdata->data="";
formdata->longfilename="";
formdata->Prev=formdata1;
formdata->next=NULL;
char* temp3=strstr(temp2,"\r\n\r\n")+4;
long tempj=temp3-data;
datalen1=datalen-tempj;
char* temp99=strfind(temp3,temp888,datalen1);
char* temp4=new char[temp3-temp2];
memset(temp4,0,temp3-temp2);
strncpy(temp4,temp2,temp3-temp2);
char* temp5=strstr(temp4,"name=\"")+6;
if(temp5==NULL)
goto xxx;
temp6=strstr(temp5,"\"");
if(temp6==NULL)
goto xxx;
formdata->name=new char[temp6-temp5+1];
memset(formdata->name,0,temp6-temp5+1);
strncpy(formdata->name,temp5,temp6-temp5);
if(strrchr(temp6,'\\')==NULL)
goto yyy;
temp7=strrchr(temp6,'\\')+1;
temp8=strstr(temp7,"\"");
if(temp8==NULL)
goto yyy;
formdata->filename=new char[temp8-temp7+1];
memset(formdata->filename,0,temp8-temp7+1);
strncpy(formdata->filename,temp7,temp8-temp7);
yyy: if(temp99!=NULL)
{
lk=temp99-temp3-2;
if(lk>0)
{
formdata->data=new char[lk+1];
memset(formdata->data,0,lk+1);
memcpy(formdata->data,temp3,lk);
formdata->datalen=lk;
}
}
xxx:temp2=temp99;
formdata1->next=formdata;
formdata1=formdata;
}
formdata=formdata2;
return formdata;
}
//......
char* temp8="";
char* temp7="";
char* temp6="";
这种语句很有问题,不如改成 char * temp6=NULL;
char* temp4=new char[temp3-temp2];
语句之后应该检查申请成功与否。
而且temp3-temp2这个表达式值得怀疑,两个指针形变量的差未必等于它们所指的两个地址数值之差。这样的书写习惯太不好。程序中多次使用了new操作,却没有看见对应的delete操作,
就留下内存泄漏的隐患。