Robert Shearman : rpcrt4: Raise an exception during unmarshaling if a conformant string isn' t null-terminated.

[Alexandre Julliard]

Module: wine
Branch: refs/heads/master
Commit: cec6092aa293469f18431e2d5158b88df4b0c98a
URL:    http://source.winehq.org/git/?p=wine.git;a=commit;h=cec6092aa293469f18431e2d5158b88df4b0c98a

Author: Robert Shearman <rob at codeweavers.com>
Date:   Sat Jun 10 12:32:01 2006 +0100

rpcrt4: Raise an exception during unmarshaling if a conformant string isn't null-terminated.

---

 dlls/rpcrt4/ndr_marshall.c |   18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 8fbb61f..2990f16 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -667,7 +667,7 @@ unsigned long WINAPI NdrConformantString
 unsigned char *WINAPI NdrConformantStringUnmarshall( PMIDL_STUB_MESSAGE pStubMsg,
   unsigned char** ppMemory, PFORMAT_STRING pFormat, unsigned char fMustAlloc )
 {
-  unsigned long size, esize;
+  ULONG size, esize, i;
 
   TRACE("(pStubMsg == ^%p, *pMemory == ^%p, pFormat == ^%p, fMustAlloc == %u)\n",
     pStubMsg, *ppMemory, pFormat, fMustAlloc);
@@ -687,6 +687,22 @@ unsigned char *WINAPI NdrConformantStrin
 
   size = safe_multiply(esize, pStubMsg->ActualCount);
 
+  /* strings must always have null terminating bytes */
+  if (size < esize)
+  {
+    ERR("invalid string length of %ld\n", pStubMsg->ActualCount);
+    RpcRaiseException(RPC_S_INVALID_BOUND);
+    return NULL;
+  }
+  for (i = size - esize; i < size; i++)
+    if (pStubMsg->Buffer[i] != 0)
+    {
+      ERR("string not null-terminated at byte position %ld, data is 0x%x\n",
+        i, pStubMsg->Buffer[i]);
+      RpcRaiseException(RPC_S_INVALID_BOUND);
+      return NULL;
+    }
+
   if (fMustAlloc || !*ppMemory)
     *ppMemory = NdrAllocate(pStubMsg, size);