rpcrt4: Fix regression in NdrConformantStringUnmarshall by doing the memcpy check in safe_copy_from_buffer
Robert Shearman
rob at codeweavers.com
Thu Dec 20 03:39:53 CST 2007
Maarten Lankhorst wrote:
> @@ -665,7 +665,8 @@ static inline void safe_copy_from_buffer(MIDL_STUB_MESSAGE *pStubMsg, void *p, U
> if ((pStubMsg->Buffer + size < pStubMsg->Buffer) || /* integer overflow of pStubMsg->Buffer */
> (pStubMsg->Buffer + size > pStubMsg->BufferEnd))
> RpcRaiseException(RPC_X_BAD_STUB_DATA);
> - memcpy(p, pStubMsg->Buffer, size);
> + if (p != pStubMsg->Buffer)
> + memcpy(p, pStubMsg->Buffer, size);
> pStubMsg->Buffer += size;
> }
>
> @@ -890,8 +891,7 @@ unsigned char *WINAPI NdrConformantStringUnmarshall( PMIDL_STUB_MESSAGE pStubMsg
> *ppMemory = NdrAllocate(pStubMsg, memsize);
> }
>
> - if (*ppMemory != pStubMsg->Buffer)
> - safe_copy_from_buffer(pStubMsg, *ppMemory, bufsize);
> + safe_copy_from_buffer(pStubMsg, *ppMemory, bufsize);
>
> if (*pFormat == RPC_FC_C_CSTRING) {
> TRACE("string=%s\n", debugstr_a((char*)*ppMemory));
>
Good work in spotting and fixing the mistake I made, but I think I'd
prefer to fix it by making the caller of safe_copy_from_buffer do the
incrementing of the buffer. This is to avoid confusion with the name of
the function and to avoid the possibility that the buffer is incremented
twice.
--
Rob Shearman
More information about the wine-devel
mailing list