widl problem in argument ordering

Wed May 20 17:01:22 CDT 2015

Hi,

Coverity issue "CID 1299032 Explicit null dereferenced"
shows I think a problem of the widl generated stub marshaller.

The IDL is:
interface IAccIdentity : IUnknown
{
    HRESULT GetIdentityString([in] DWORD idchild,
                              [out, size_is(*string_len)] BYTE **str,
                              [out] DWORD *string_len);
}

the generated stub is:

	void __RPC_STUB IAccIdentity_GetIdentityString_Stub(
	    IRpcStubBuffer* This,
	    IRpcChannelBuffer *_pRpcChannelBuffer,
	    PRPC_MESSAGE _pRpcMessage,
	    DWORD* _pdwStubPhase)
	{   
	    struct __frame_IAccIdentity_GetIdentityString_Stub __f, * const __frame = &__f;

	    __frame->_This = (IAccIdentity*)((CStdStubBuffer*)This)->pvServerObject;

	    NdrStubInitialize(_pRpcMessage, &__frame->_StubMsg, &Object_StubDesc, _pRpcChannelBuffer);

	    RpcExceptionInit( 0, __finally_IAccIdentity_GetIdentityString_Stub );
	    __frame->str = 0;
	    __frame->string_len = 0;

	    RpcTryFinally
	    {   
		if ((_pRpcMessage->DataRepresentation & 0xffff) != NDR_LOCAL_DATA_REPRESENTATION)
		    NdrConvert( &__frame->_StubMsg, &__MIDL_ProcFormatString.Format[216]);

		__frame->_StubMsg.Buffer = (unsigned char *)(((ULONG_PTR)__frame->_StubMsg.Buffer + 3) & ~0x3);
		if (__frame->_StubMsg.Buffer + sizeof(DWORD) > __frame->_StubMsg.BufferEnd)
		{   
		    RpcRaiseException(RPC_X_BAD_STUB_DATA);
		}
		__frame->idchild = *(DWORD *)__frame->_StubMsg.Buffer;
		__frame->_StubMsg.Buffer += sizeof(DWORD);

		__frame->str = NdrAllocate(&__frame->_StubMsg, *__frame->string_len * 4); // DEREFERENCED
		memset(__frame->str, 0, *__frame->string_len * 4);
		__frame->string_len = &__frame->_W0; 					// ACTUALLY initialized
		__frame->_W0 = 0;

Not that __frame->string_len is dereferenced before it is set to &__frame->_W0.

There seems to be a bit of an ordering problem here?

Ciao, Marcus