Robert Shearman : rpcrt4:
Pass in a maximum variance value to ReadVariance to allow us
Alexandre Julliard
julliard at wine.codeweavers.com
Mon Jun 12 07:09:33 CDT 2006
Module: wine
Branch: refs/heads/master
Commit: 8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8
URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8
Author: Robert Shearman <rob at codeweavers.com>
Date: Sat Jun 10 12:32:47 2006 +0100
rpcrt4: Pass in a maximum variance value to ReadVariance to allow us
to validate the conformance values being read from the wire.
---
dlls/rpcrt4/ndr_marshall.c | 40 +++++++++++++++++++---------------------
1 files changed, 19 insertions(+), 21 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 58bcd25..50d3871 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -332,7 +332,7 @@ static PFORMAT_STRING ReadConformance(MI
return pFormat+4;
}
-static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat)
+static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat, ULONG MaxValue)
{
if (pFormat && !IsConformanceOrVariancePresent(pFormat))
{
@@ -349,6 +349,15 @@ static inline PFORMAT_STRING ReadVarianc
pStubMsg->Buffer += 4;
TRACE("variance is %ld\n", pStubMsg->ActualCount);
+ if ((pStubMsg->ActualCount > MaxValue) ||
+ (pStubMsg->ActualCount + pStubMsg->Offset > MaxValue))
+ {
+ ERR("invalid array bound(s): ActualCount = %ld, Offset = %ld, MaxValue = %ld\n",
+ pStubMsg->ActualCount, pStubMsg->Offset, MaxValue);
+ RpcRaiseException(RPC_S_INVALID_BOUND);
+ return NULL;
+ }
+
done:
if (pStubMsg->fHasNewCorrDesc)
return pFormat+6;
@@ -675,7 +684,7 @@ unsigned char *WINAPI NdrConformantStrin
assert(pFormat && ppMemory && pStubMsg);
ReadConformance(pStubMsg, NULL);
- ReadVariance(pStubMsg, NULL);
+ ReadVariance(pStubMsg, NULL, pStubMsg->MaxCount);
if (*pFormat == RPC_FC_C_CSTRING) esize = 1;
else if (*pFormat == RPC_FC_C_WSTRING) esize = 2;
@@ -2365,11 +2374,12 @@ unsigned char* WINAPI NdrConformantVaryi
}
pFormat = ReadConformance(pStubMsg, pFormat+4);
- pFormat = ReadVariance(pStubMsg, pFormat);
+ pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
bufsize = safe_multiply(esize, pStubMsg->ActualCount);
+ TRACE("esize = %ld, pStubMsg->MaxCount = %ld, result = %ld\n", esize, pStubMsg->MaxCount, esize * pStubMsg->MaxCount);
memsize = safe_multiply(esize, pStubMsg->MaxCount);
if (!*ppMemory || fMustAlloc)
@@ -2525,7 +2535,7 @@ unsigned char * WINAPI NdrComplexArrayUn
pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat);
- pFormat = ReadVariance(pStubMsg, pFormat);
+ pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
Buffer = pStubMsg->Buffer;
esize = ComplexStructMemorySize(pStubMsg, pFormat);
@@ -2618,7 +2628,7 @@ unsigned long WINAPI NdrComplexArrayMemo
pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat);
- pFormat = ReadVariance(pStubMsg, pFormat);
+ pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
@@ -3199,7 +3209,7 @@ unsigned char * WINAPI NdrConformantVar
memcpy(*ppMemory, pStubMsg->Buffer, pCVStructFormat->memory_size);
pStubMsg->Buffer += pCVStructFormat->memory_size;
- pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
+ pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount);
bufsize = safe_multiply(esize, pStubMsg->ActualCount);
@@ -3366,7 +3376,7 @@ unsigned long WINAPI NdrConformantVaryin
TRACE("memory_size = %d\n", pCVStructFormat->memory_size);
pStubMsg->Buffer += pCVStructFormat->memory_size;
- pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
+ pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount);
pStubMsg->Buffer += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->ActualCount);
pStubMsg->MemorySize += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->MaxCount);
@@ -3757,13 +3767,7 @@ unsigned char * WINAPI NdrVaryingArrayU
esize = *(const WORD*)pFormat;
pFormat += sizeof(WORD);
- pFormat = ReadVariance(pStubMsg, pFormat);
- if ((pStubMsg->ActualCount > elements) ||
- (pStubMsg->ActualCount + pStubMsg->Offset > elements))
- {
- RpcRaiseException(RPC_S_INVALID_BOUND);
- return NULL;
- }
+ pFormat = ReadVariance(pStubMsg, pFormat, elements);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
@@ -3877,13 +3881,7 @@ unsigned long WINAPI NdrVaryingArrayMemo
esize = *(const WORD*)pFormat;
pFormat += sizeof(WORD);
- pFormat = ReadVariance(pStubMsg, pFormat);
- if ((pStubMsg->ActualCount > elements) ||
- (pStubMsg->ActualCount + pStubMsg->Offset > elements))
- {
- RpcRaiseException(RPC_S_INVALID_BOUND);
- return 0;
- }
+ pFormat = ReadVariance(pStubMsg, pFormat, elements);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
More information about the wine-cvs
mailing list