Rob Shearman : rpcrt4: Add a check for a NULL ref pointer to NdrPointerUnmarshall.

Alexandre Julliard julliard at winehq.org
Wed Mar 11 10:04:23 CDT 2009


Module: wine
Branch: master
Commit: 689a49b52ac462b9988429cd89423faa10b1c33b
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=689a49b52ac462b9988429cd89423faa10b1c33b

Author: Rob Shearman <robertshearman at gmail.com>
Date:   Tue Mar 10 23:41:39 2009 +0000

rpcrt4: Add a check for a NULL ref pointer to NdrPointerUnmarshall.

---

 dlls/rpcrt4/ndr_marshall.c |   24 +++++++++++++++++-------
 1 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 05eb638..b29186c 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -1500,18 +1500,28 @@ unsigned char * WINAPI NdrPointerUnmarshall(PMIDL_STUB_MESSAGE pStubMsg,
 
   TRACE("(%p,%p,%p,%d)\n", pStubMsg, ppMemory, pFormat, fMustAlloc);
 
-  /* Increment the buffer here instead of in PointerUnmarshall,
-   * as that is used by embedded pointers which already handle the incrementing
-   * the buffer, and shouldn't read any additional pointer data from the
-   * buffer */
-  if (*pFormat != RPC_FC_RP)
+  if (*pFormat == RPC_FC_RP)
   {
-    ALIGN_POINTER(pStubMsg->Buffer, 4);
     Buffer = pStubMsg->Buffer;
-    safe_buffer_increment(pStubMsg, 4);
+    /* Do the NULL ref pointer check here because embedded pointers can be
+     * NULL if the type the pointer is embedded in was allocated rather than
+     * being passed in by the client */
+    if (pStubMsg->IsClient && !*ppMemory)
+    {
+      ERR("NULL ref pointer is not allowed\n");
+      RpcRaiseException(RPC_X_NULL_REF_POINTER);
+    }
   }
   else
+  {
+    /* Increment the buffer here instead of in PointerUnmarshall,
+     * as that is used by embedded pointers which already handle the incrementing
+     * the buffer, and shouldn't read any additional pointer data from the
+     * buffer */
+    ALIGN_POINTER(pStubMsg->Buffer, 4);
     Buffer = pStubMsg->Buffer;
+    safe_buffer_increment(pStubMsg, 4);
+  }
 
   PointerUnmarshall(pStubMsg, Buffer, ppMemory, *ppMemory, pFormat, fMustAlloc);
 




More information about the wine-cvs mailing list