Robert Shearman : rpcrt4: Pass in a maximum variance value to ReadVariance to allow us

Alexandre Julliard julliard at wine.codeweavers.com
Mon Jun 12 07:09:33 CDT 2006


Module: wine
Branch: refs/heads/master
Commit: 8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8
URL:    http://source.winehq.org/git/?p=wine.git;a=commit;h=8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8

Author: Robert Shearman <rob at codeweavers.com>
Date:   Sat Jun 10 12:32:47 2006 +0100

rpcrt4: Pass in a maximum variance value to ReadVariance to allow us

to validate the conformance values being read from the wire.

---

 dlls/rpcrt4/ndr_marshall.c |   40 +++++++++++++++++++---------------------
 1 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 58bcd25..50d3871 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -332,7 +332,7 @@ static PFORMAT_STRING ReadConformance(MI
     return pFormat+4;
 }
 
-static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat)
+static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat, ULONG MaxValue)
 {
   if (pFormat && !IsConformanceOrVariancePresent(pFormat))
   {
@@ -349,6 +349,15 @@ static inline PFORMAT_STRING ReadVarianc
   pStubMsg->Buffer += 4;
   TRACE("variance is %ld\n", pStubMsg->ActualCount);
 
+  if ((pStubMsg->ActualCount > MaxValue) ||
+      (pStubMsg->ActualCount + pStubMsg->Offset > MaxValue))
+  {
+    ERR("invalid array bound(s): ActualCount = %ld, Offset = %ld, MaxValue = %ld\n",
+        pStubMsg->ActualCount, pStubMsg->Offset, MaxValue);
+    RpcRaiseException(RPC_S_INVALID_BOUND);
+    return NULL;
+  }
+
 done:
   if (pStubMsg->fHasNewCorrDesc)
     return pFormat+6;
@@ -675,7 +684,7 @@ unsigned char *WINAPI NdrConformantStrin
   assert(pFormat && ppMemory && pStubMsg);
 
   ReadConformance(pStubMsg, NULL);
-  ReadVariance(pStubMsg, NULL);
+  ReadVariance(pStubMsg, NULL, pStubMsg->MaxCount);
 
   if (*pFormat == RPC_FC_C_CSTRING) esize = 1;
   else if (*pFormat == RPC_FC_C_WSTRING) esize = 2;
@@ -2365,11 +2374,12 @@ unsigned char* WINAPI NdrConformantVaryi
     }
 
     pFormat = ReadConformance(pStubMsg, pFormat+4);
-    pFormat = ReadVariance(pStubMsg, pFormat);
+    pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
 
     ALIGN_POINTER(pStubMsg->Buffer, alignment);
 
     bufsize = safe_multiply(esize, pStubMsg->ActualCount);
+    TRACE("esize = %ld, pStubMsg->MaxCount = %ld, result = %ld\n", esize, pStubMsg->MaxCount, esize * pStubMsg->MaxCount);
     memsize = safe_multiply(esize, pStubMsg->MaxCount);
 
     if (!*ppMemory || fMustAlloc)
@@ -2525,7 +2535,7 @@ unsigned char * WINAPI NdrComplexArrayUn
   pFormat += 4;
 
   pFormat = ReadConformance(pStubMsg, pFormat);
-  pFormat = ReadVariance(pStubMsg, pFormat);
+  pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
 
   Buffer = pStubMsg->Buffer;
   esize = ComplexStructMemorySize(pStubMsg, pFormat);
@@ -2618,7 +2628,7 @@ unsigned long WINAPI NdrComplexArrayMemo
   pFormat += 4;
 
   pFormat = ReadConformance(pStubMsg, pFormat);
-  pFormat = ReadVariance(pStubMsg, pFormat);
+  pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
 
   ALIGN_POINTER(pStubMsg->Buffer, alignment);
 
@@ -3199,7 +3209,7 @@ unsigned char *  WINAPI NdrConformantVar
     memcpy(*ppMemory, pStubMsg->Buffer, pCVStructFormat->memory_size);
     pStubMsg->Buffer += pCVStructFormat->memory_size;
 
-    pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
+    pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount);
 
     bufsize = safe_multiply(esize, pStubMsg->ActualCount);
 
@@ -3366,7 +3376,7 @@ unsigned long WINAPI NdrConformantVaryin
     TRACE("memory_size = %d\n", pCVStructFormat->memory_size);
 
     pStubMsg->Buffer += pCVStructFormat->memory_size;
-    pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
+    pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount);
     pStubMsg->Buffer += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->ActualCount);
 
     pStubMsg->MemorySize += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->MaxCount);
@@ -3757,13 +3767,7 @@ unsigned char *  WINAPI NdrVaryingArrayU
     esize = *(const WORD*)pFormat;
     pFormat += sizeof(WORD);
 
-    pFormat = ReadVariance(pStubMsg, pFormat);
-    if ((pStubMsg->ActualCount > elements) ||
-        (pStubMsg->ActualCount + pStubMsg->Offset > elements))
-    {
-        RpcRaiseException(RPC_S_INVALID_BOUND);
-        return NULL;
-    }
+    pFormat = ReadVariance(pStubMsg, pFormat, elements);
 
     ALIGN_POINTER(pStubMsg->Buffer, alignment);
 
@@ -3877,13 +3881,7 @@ unsigned long WINAPI NdrVaryingArrayMemo
     esize = *(const WORD*)pFormat;
     pFormat += sizeof(WORD);
 
-    pFormat = ReadVariance(pStubMsg, pFormat);
-    if ((pStubMsg->ActualCount > elements) ||
-        (pStubMsg->ActualCount + pStubMsg->Offset > elements))
-    {
-        RpcRaiseException(RPC_S_INVALID_BOUND);
-        return 0;
-    }
+    pFormat = ReadVariance(pStubMsg, pFormat, elements);
 
     ALIGN_POINTER(pStubMsg->Buffer, alignment);
 




More information about the wine-cvs mailing list