Module: wine Branch: refs/heads/master Commit: 8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8 URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=8dea3c2aa866bb3f5e24d12b... Author: Robert Shearman <rob(a)codeweavers.com> Date: Sat Jun 10 12:32:47 2006 +0100 rpcrt4: Pass in a maximum variance value to ReadVariance to allow us to validate the conformance values being read from the wire. --- dlls/rpcrt4/ndr_marshall.c | 40 +++++++++++++++++++--------------------- 1 files changed, 19 insertions(+), 21 deletions(-) diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index 58bcd25..50d3871 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -332,7 +332,7 @@ static PFORMAT_STRING ReadConformance(MI return pFormat+4; } -static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat) +static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat, ULONG MaxValue) { if (pFormat && !IsConformanceOrVariancePresent(pFormat)) { @@ -349,6 +349,15 @@ static inline PFORMAT_STRING ReadVarianc pStubMsg->Buffer += 4; TRACE("variance is %ld\n", pStubMsg->ActualCount); + if ((pStubMsg->ActualCount > MaxValue) || + (pStubMsg->ActualCount + pStubMsg->Offset > MaxValue)) + { + ERR("invalid array bound(s): ActualCount = %ld, Offset = %ld, MaxValue = %ld\n", + pStubMsg->ActualCount, pStubMsg->Offset, MaxValue); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + done: if (pStubMsg->fHasNewCorrDesc) return pFormat+6; @@ -675,7 +684,7 @@ unsigned char *WINAPI NdrConformantStrin assert(pFormat && ppMemory && pStubMsg); ReadConformance(pStubMsg, NULL); - ReadVariance(pStubMsg, NULL); + ReadVariance(pStubMsg, NULL, pStubMsg->MaxCount); if (*pFormat == RPC_FC_C_CSTRING) esize = 1; else if (*pFormat == RPC_FC_C_WSTRING) esize = 2; @@ -2365,11 +2374,12 @@ unsigned char* WINAPI NdrConformantVaryi } pFormat = ReadConformance(pStubMsg, pFormat+4); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount); ALIGN_POINTER(pStubMsg->Buffer, alignment); bufsize = safe_multiply(esize, pStubMsg->ActualCount); + TRACE("esize = %ld, pStubMsg->MaxCount = %ld, result = %ld\n", esize, pStubMsg->MaxCount, esize * pStubMsg->MaxCount); memsize = safe_multiply(esize, pStubMsg->MaxCount); if (!*ppMemory || fMustAlloc) @@ -2525,7 +2535,7 @@ unsigned char * WINAPI NdrComplexArrayUn pFormat += 4; pFormat = ReadConformance(pStubMsg, pFormat); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount); Buffer = pStubMsg->Buffer; esize = ComplexStructMemorySize(pStubMsg, pFormat); @@ -2618,7 +2628,7 @@ unsigned long WINAPI NdrComplexArrayMemo pFormat += 4; pFormat = ReadConformance(pStubMsg, pFormat); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount); ALIGN_POINTER(pStubMsg->Buffer, alignment); @@ -3199,7 +3209,7 @@ unsigned char * WINAPI NdrConformantVar memcpy(*ppMemory, pStubMsg->Buffer, pCVStructFormat->memory_size); pStubMsg->Buffer += pCVStructFormat->memory_size; - pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat); + pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount); bufsize = safe_multiply(esize, pStubMsg->ActualCount); @@ -3366,7 +3376,7 @@ unsigned long WINAPI NdrConformantVaryin TRACE("memory_size = %d\n", pCVStructFormat->memory_size); pStubMsg->Buffer += pCVStructFormat->memory_size; - pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat); + pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount); pStubMsg->Buffer += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->ActualCount); pStubMsg->MemorySize += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->MaxCount); @@ -3757,13 +3767,7 @@ unsigned char * WINAPI NdrVaryingArrayU esize = *(const WORD*)pFormat; pFormat += sizeof(WORD); - pFormat = ReadVariance(pStubMsg, pFormat); - if ((pStubMsg->ActualCount > elements) || - (pStubMsg->ActualCount + pStubMsg->Offset > elements)) - { - RpcRaiseException(RPC_S_INVALID_BOUND); - return NULL; - } + pFormat = ReadVariance(pStubMsg, pFormat, elements); ALIGN_POINTER(pStubMsg->Buffer, alignment); @@ -3877,13 +3881,7 @@ unsigned long WINAPI NdrVaryingArrayMemo esize = *(const WORD*)pFormat; pFormat += sizeof(WORD); - pFormat = ReadVariance(pStubMsg, pFormat); - if ((pStubMsg->ActualCount > elements) || - (pStubMsg->ActualCount + pStubMsg->Offset > elements)) - { - RpcRaiseException(RPC_S_INVALID_BOUND); - return 0; - } + pFormat = ReadVariance(pStubMsg, pFormat, elements); ALIGN_POINTER(pStubMsg->Buffer, alignment);