Robert Shearman : rpcrt4: Validate complex array format string.

Alexandre Julliard julliard at wine.codeweavers.com
Mon Jan 9 13:52:47 CST 2006 

Module: wine
Branch: refs/heads/master
Commit: 2e875d5d351b992ab3cab42420f2c4db69cfca00
URL:    http://source.winehq.org/git/?p=wine.git;a=commit;h=2e875d5d351b992ab3cab42420f2c4db69cfca00

Author: Robert Shearman <rob at codeweavers.com>
Date:   Mon Jan  9 17:20:19 2006 +0100

rpcrt4: Validate complex array format string.
Verify that the format string being passed into the complex array
functions is a complex array one.

---

 dlls/rpcrt4/ndr_marshall.c |   35 +++++++++++++++++++++++++++++++++++
 1 files changed, 35 insertions(+), 0 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 0df9bed..def590d 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -2098,6 +2098,13 @@ unsigned char * WINAPI NdrComplexArrayMa
 
   TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
 
+  if (pFormat[0] != RPC_FC_BOGUS_ARRAY)
+  {
+      ERR("invalid format type %x\n", pFormat[0]);
+      RpcRaiseException(RPC_S_INTERNAL_ERROR);
+      return NULL;
+  }
+
   def = *(const WORD*)&pFormat[2];
   pFormat += 4;
 
@@ -2139,6 +2146,13 @@ unsigned char * WINAPI NdrComplexArrayUn
 
   TRACE("(%p,%p,%p,%d)\n", pStubMsg, ppMemory, pFormat, fMustAlloc);
 
+  if (pFormat[0] != RPC_FC_BOGUS_ARRAY)
+  {
+      ERR("invalid format type %x\n", pFormat[0]);
+      RpcRaiseException(RPC_S_INTERNAL_ERROR);
+      return NULL;
+  }
+
   pFormat += 4;
 
   pFormat = ReadConformance(pStubMsg, pFormat);
@@ -2180,6 +2194,13 @@ void WINAPI NdrComplexArrayBufferSize(PM
 
   TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
 
+  if (pFormat[0] != RPC_FC_BOGUS_ARRAY)
+  {
+      ERR("invalid format type %x\n", pFormat[0]);
+      RpcRaiseException(RPC_S_INTERNAL_ERROR);
+      return;
+  }
+
   def = *(const WORD*)&pFormat[2];
   pFormat += 4;
 
@@ -2207,6 +2228,13 @@ unsigned long WINAPI NdrComplexArrayMemo
   DWORD size = 0;
   FIXME("(%p,%p): stub\n", pStubMsg, pFormat);
 
+  if (pFormat[0] != RPC_FC_BOGUS_ARRAY)
+  {
+      ERR("invalid format type %x\n", pFormat[0]);
+      RpcRaiseException(RPC_S_INTERNAL_ERROR);
+      return 0;
+  }
+
   pFormat += 4;
 
   pFormat = ReadConformance(pStubMsg, pFormat);
@@ -2229,6 +2257,13 @@ void WINAPI NdrComplexArrayFree(PMIDL_ST
 
   TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
 
+  if (pFormat[0] != RPC_FC_BOGUS_ARRAY)
+  {
+      ERR("invalid format type %x\n", pFormat[0]);
+      RpcRaiseException(RPC_S_INTERNAL_ERROR);
+      return;
+  }
+
   def = *(const WORD*)&pFormat[2];
   pFormat += 4;

More information about the wine-cvs mailing list