rpcrt4: Fix regression in NdrConformantStringUnmarshall by doing the memcpy check in safe_copy_from_buffer
Robert Shearman
rob at codeweavers.com
Thu Dec 20 05:35:50 CST 2007
Maarten Lankhorst wrote:
> Hi Rob,
>
> Robert Shearman schreef:
>
>> Maarten Lankhorst wrote:
>>
>>> @@ -665,7 +665,8 @@ static inline void
>>> safe_copy_from_buffer(MIDL_STUB_MESSAGE *pStubMsg, void *p, U
>>> if ((pStubMsg->Buffer + size < pStubMsg->Buffer) || /* integer
>>> overflow of pStubMsg->Buffer */
>>> (pStubMsg->Buffer + size > pStubMsg->BufferEnd))
>>> RpcRaiseException(RPC_X_BAD_STUB_DATA);
>>> - memcpy(p, pStubMsg->Buffer, size);
>>> + if (p != pStubMsg->Buffer)
>>> + memcpy(p, pStubMsg->Buffer, size);
>>> pStubMsg->Buffer += size;
>>> }
>>>
>>>
>> Good work in spotting and fixing the mistake I made, but I think I'd
>> prefer to fix it by making the caller of safe_copy_from_buffer do the
>> incrementing of the buffer. This is to avoid confusion with the name
>> of the function and to avoid the possibility that the buffer is
>> incremented twice.
>>
> If you want to remove that, you might as well remove that whole inline,
> since even when the two areas are equal the check that needs to be
> performed at overflowing still needs to be done even if the areas are
> the same.
>
That's what safe_buffer_increment does.
--
Rob Shearman
More information about the wine-devel
mailing list