[PATCH 3/6] ole32, propsys: Rework PROPVARIANT (de)serialization

Thu Jul 16 14:00:56 CDT 2015

>> I remember being concerned that StgConvertPropertyToVariant does not
>> accept a size for the serialized value. This is not good when we don't
>> trust the data we're reading.
>>
>> So, at least for deserialization I don't think we should use the public
>> API.
>>
>
> Yes, I agree, it would be nice to have buffer length. Maybe the idea is to
> check some kind of a header first, could be that first DWORD is actually
> stream length, if that's the case it's not that bad.

Sadly, no, the size and how/if it's encoded depends on the type, which
is the first thing in the structure.