rpcrt4: Correctly check for in-buffer memory in PointerFree.
Thomas Faber
thomas.faber at reactos.org
Mon Aug 11 04:06:26 CDT 2014
The pointer to be freed will sometimes be equal to pStubMsg->BufferEnd.
For example this occurs with a zero-size array (in my case argv in
RStartServiceW, where argc == 0): an in-buffer pointer will be used,
but there is no data to be read following in the buffer (i.e. the
pointer must never be dereferenced).
-------------- next part --------------
From d64aac36132b5b38343305a8db53135e1d9ff9c0 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber at reactos.org>
Date: Mon, 11 Aug 2014 10:59:20 +0200
Subject: rpcrt4: Correctly check for in-buffer memory in PointerFree.
---
dlls/rpcrt4/ndr_marshall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 481b426..3f1762a 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -1138,7 +1138,7 @@ static void PointerFree(PMIDL_STUB_MESSAGE pStubMsg,
* BufferStart and BufferEnd won't be reset when allocating memory for
* sending the response. we don't have to check for the new buffer here as
* it won't be used a type memory, only for buffer memory */
- if (Pointer >= pStubMsg->BufferStart && Pointer < pStubMsg->BufferEnd)
+ if (Pointer >= pStubMsg->BufferStart && Pointer <= pStubMsg->BufferEnd)
goto notfree;
if (attr & RPC_FC_P_ONSTACK) {
--
1.9.0.msysgit.0
More information about the wine-patches
mailing list