oleaut32: Handle xbuf_get erroring out in deserialize_param (and avoid uninitialized read).
Dmitry Timoshkov
dmitry at baikal.ru
Tue Sep 20 02:29:12 CDT 2016
Gerald Pfeifer <gerald at pfeifer.com> wrote:
> --- a/dlls/oleaut32/tmarshal.c
> +++ b/dlls/oleaut32/tmarshal.c
> @@ -1078,7 +1078,10 @@ deserialize_param(
> if (readit) {
> DWORD x;
> hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD));
> - if (hres) ERR("Failed to read integer 4 byte\n");
> + if (hres) {
> + ERR("Failed to read integer 4 byte\n");
> + x = 0;
> + }
> memcpy(arg,&x,2);
> }
> if (debugout) TRACE_(olerelay)("%04x",*arg & 0xffff);
> @@ -1088,7 +1091,10 @@ deserialize_param(
> if (readit) {
> DWORD x;
> hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD));
> - if (hres) ERR("Failed to read integer 4 byte\n");
> + if (hres) {
> + ERR("Failed to read integer 4 byte\n");
> + x = 0;
> + }
> memcpy(arg,&x,1);
A proper fix would be to avoid a memcpy() if xbuf_get() fails instead
of creating bogus input data.
--
Dmitry.
More information about the wine-devel
mailing list