From 84d4a2b429da046b8a33bc39aa38a3b529ccc9a6 Mon Sep 17 00:00:00 2001
From: George Hazan <ghazan@miranda.im>
Date: Wed, 15 Jul 2020 17:51:53 +0300
Subject: fixes #2486 completely

---
 src/core/stdssl/src/netlibssl.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/core/stdssl/src/netlibssl.cpp b/src/core/stdssl/src/netlibssl.cpp
index 25a5e7d1df..1ed8e4fc5d 100644
--- a/src/core/stdssl/src/netlibssl.cpp
+++ b/src/core/stdssl/src/netlibssl.cpp
@@ -762,15 +762,19 @@ static void* NetlibSslUnique(SslHandle *ssl, int *cbLen)
 		return nullptr;
 	}
 
-	LPBYTE pBuf = LPBYTE(bindings.dwInitiatorOffset);
-	if (bindings.dwInitiatorOffset == 0) {
+	BYTE *pBuf;
+	if (!IsBadReadPtr((void*)bindings.cbInitiatorLength, sizeof(bindings)))
+		pBuf = (BYTE *)bindings.cbInitiatorLength;
+	else if(!IsBadReadPtr((void *)bindings.dwInitiatorOffset, sizeof(bindings)))
+		pBuf = (BYTE *)bindings.dwInitiatorOffset;
+	else {
 		char tmp[sizeof(bindings)*2 + 1];
 		bin2hex(&bindings, sizeof(bindings), tmp);
 		Netlib_Logf(nullptr, "Failed bindings: %s", tmp);
 		return nullptr;
 	}
 
-	bindings = *(SEC_CHANNEL_BINDINGS *)bindings.dwInitiatorOffset;
+	bindings = *(SEC_CHANNEL_BINDINGS *)pBuf;
 	pBuf += bindings.dwApplicationDataOffset;
 	if (memcmp(pBuf, "tls-unique:", 11)) {
 		char tmp[sizeof(bindings) * 2 + 1];
-- 
cgit v1.2.3