Hans Leidekker <hans(a)codeweavers.com> writes: You are not being paranoid enough...
+ privs = get_req_data_after_objattr( objattr, &data_size ); + privs_size = req->privilege_count * sizeof(*privs);
This can overflow.
+ if (req->default_dacl_size) + { + acl = (const ACL *)((const char *)privs + privs_size); + if (!acl_is_valid( acl, req->default_dacl_size ))
No check against request size.
+ data_size -= req->default_dacl_size; + + groups = (const struct token_groups *)((const char *)privs + privs_size + req->default_dacl_size);
size could be misaligned.
+ if (data_size < sizeof(*groups) || !groups->count || + sizeof(*groups) + groups->count * sizeof(*attr) > data_size ||
This can overflow. There may be more... Also you probably want to introduce some kind of helper function. -- Alexandre Julliard julliard(a)winehq.org