Rob Shearman : rpcrt4: Fix an integer overflow in NdrConformantStructMarshall and NdrConformantStructUnmarshall .
Alexandre Julliard
julliard at winehq.org
Thu Nov 29 10:31:20 CST 2007
Module: wine
Branch: master
Commit: 8668369b4f27dba9011493d8e8d40e4851743394
URL: http://source.winehq.org/git/wine.git/?a=commit;h=8668369b4f27dba9011493d8e8d40e4851743394
Author: Rob Shearman <rob at codeweavers.com>
Date: Wed Nov 28 15:02:39 2007 +0000
rpcrt4: Fix an integer overflow in NdrConformantStructMarshall and NdrConformantStructUnmarshall.
---
dlls/rpcrt4/ndr_marshall.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index cbb766d..35028b4 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -3399,6 +3399,12 @@ unsigned char * WINAPI NdrConformantStructMarshall(PMIDL_STUB_MESSAGE pStubMsg,
TRACE("memory_size = %d\n", pCStructFormat->memory_size);
bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+ if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+ {
+ ERR("integer overflow of memory_size %u with bufsize %u\n",
+ pCStructFormat->memory_size, bufsize);
+ RpcRaiseException(RPC_X_BAD_STUB_DATA);
+ }
/* copy constant sized part of struct */
pStubMsg->BufferMark = pStubMsg->Buffer;
safe_copy_to_buffer(pStubMsg, pMemory, pCStructFormat->memory_size + bufsize);
@@ -3447,6 +3453,12 @@ unsigned char * WINAPI NdrConformantStructUnmarshall(PMIDL_STUB_MESSAGE pStubMs
TRACE("memory_size = %d\n", pCStructFormat->memory_size);
bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+ if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+ {
+ ERR("integer overflow of memory_size %u with bufsize %u\n",
+ pCStructFormat->memory_size, bufsize);
+ RpcRaiseException(RPC_X_BAD_STUB_DATA);
+ }
/* work out how much memory to allocate if we need to do so */
if (!*ppMemory || fMustAlloc)
{
More information about the wine-cvs
mailing list