advapi32: fix a too small buffer in CredUnmarshalCredentialW [try2]
Hans Leidekker
hans at codeweavers.com
Wed Nov 14 10:22:00 CST 2012
On Wed, 2012-11-14 at 16:28 +0100, Stefan Leichter wrote:
> @@ -2053,6 +2053,8 @@ static BOOL cred_decode( const WCHAR *cred, unsigned int len, char *buf )
> char c0, c1, c2, c3;
> const WCHAR *p = cred;
>
> + TRACE("%s\n", debugstr_wn(cred,len));
This string is already traced in CredUnmarshalCredentialW.
> @@ -2134,6 +2136,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred, PCRED_MARSHAL_TYPE type, PVO
> case UsernameTargetCredential:
> {
> USERNAME_TARGET_CREDENTIAL_INFO *target;
> + ULONGLONG size = 0;
>
> if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) || !size || size % sizeof(WCHAR))
> {
You should also perform a sanity check on 'size' to avoid overflow in
calculations that follow.
More information about the wine-devel
mailing list