Robert Shearman : rpcrt4:
Check that strings are null-terminated on unmarshaling of
conformant-varying structs .
Alexandre Julliard
julliard at wine.codeweavers.com
Mon Jun 12 07:09:32 CDT 2006
Module: wine
Branch: refs/heads/master
Commit: 613ee6d01c2bcea446c1792ef57a18afbbe0a8a4
URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=613ee6d01c2bcea446c1792ef57a18afbbe0a8a4
Author: Robert Shearman <rob at codeweavers.com>
Date: Sat Jun 10 12:32:35 2006 +0100
rpcrt4: Check that strings are null-terminated on unmarshaling of conformant-varying structs.
---
dlls/rpcrt4/ndr_marshall.c | 22 ++++++++++++++++++++++
1 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 26d430b..58bcd25 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -3202,6 +3202,28 @@ unsigned char * WINAPI NdrConformantVar
pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
bufsize = safe_multiply(esize, pStubMsg->ActualCount);
+
+ if ((cvarray_type == RPC_FC_C_CSTRING) ||
+ (cvarray_type == RPC_FC_C_WSTRING))
+ {
+ ULONG i;
+ /* strings must always have null terminating bytes */
+ if (bufsize < esize)
+ {
+ ERR("invalid string length of %ld\n", pStubMsg->ActualCount);
+ RpcRaiseException(RPC_S_INVALID_BOUND);
+ return NULL;
+ }
+ for (i = bufsize - esize; i < bufsize; i++)
+ if (pStubMsg->Buffer[i] != 0)
+ {
+ ERR("string not null-terminated at byte position %ld, data is 0x%x\n",
+ i, pStubMsg->Buffer[i]);
+ RpcRaiseException(RPC_S_INVALID_BOUND);
+ return NULL;
+ }
+ }
+
/* copy the array data */
memcpy(*ppMemory + pCVStructFormat->memory_size, pStubMsg->Buffer,
bufsize);
More information about the wine-cvs
mailing list