Robert Shearman : rpcrt4:
Raise an exception during unmarshaling if a conformant string isn'
t null-terminated.
Alexandre Julliard
julliard at wine.codeweavers.com
Mon Jun 12 07:09:28 CDT 2006
Module: wine
Branch: refs/heads/master
Commit: cec6092aa293469f18431e2d5158b88df4b0c98a
URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=cec6092aa293469f18431e2d5158b88df4b0c98a
Author: Robert Shearman <rob at codeweavers.com>
Date: Sat Jun 10 12:32:01 2006 +0100
rpcrt4: Raise an exception during unmarshaling if a conformant string isn't null-terminated.
---
dlls/rpcrt4/ndr_marshall.c | 18 +++++++++++++++++-
1 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 8fbb61f..2990f16 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -667,7 +667,7 @@ unsigned long WINAPI NdrConformantString
unsigned char *WINAPI NdrConformantStringUnmarshall( PMIDL_STUB_MESSAGE pStubMsg,
unsigned char** ppMemory, PFORMAT_STRING pFormat, unsigned char fMustAlloc )
{
- unsigned long size, esize;
+ ULONG size, esize, i;
TRACE("(pStubMsg == ^%p, *pMemory == ^%p, pFormat == ^%p, fMustAlloc == %u)\n",
pStubMsg, *ppMemory, pFormat, fMustAlloc);
@@ -687,6 +687,22 @@ unsigned char *WINAPI NdrConformantStrin
size = safe_multiply(esize, pStubMsg->ActualCount);
+ /* strings must always have null terminating bytes */
+ if (size < esize)
+ {
+ ERR("invalid string length of %ld\n", pStubMsg->ActualCount);
+ RpcRaiseException(RPC_S_INVALID_BOUND);
+ return NULL;
+ }
+ for (i = size - esize; i < size; i++)
+ if (pStubMsg->Buffer[i] != 0)
+ {
+ ERR("string not null-terminated at byte position %ld, data is 0x%x\n",
+ i, pStubMsg->Buffer[i]);
+ RpcRaiseException(RPC_S_INVALID_BOUND);
+ return NULL;
+ }
+
if (fMustAlloc || !*ppMemory)
*ppMemory = NdrAllocate(pStubMsg, size);
More information about the wine-cvs
mailing list