Module: wine Branch: refs/heads/master Commit: 613ee6d01c2bcea446c1792ef57a18afbbe0a8a4 URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=613ee6d01c2bcea446c1792e...
Author: Robert Shearman rob@codeweavers.com Date: Sat Jun 10 12:32:35 2006 +0100
rpcrt4: Check that strings are null-terminated on unmarshaling of conformant-varying structs.
---
dlls/rpcrt4/ndr_marshall.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index 26d430b..58bcd25 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -3202,6 +3202,28 @@ unsigned char * WINAPI NdrConformantVar pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
bufsize = safe_multiply(esize, pStubMsg->ActualCount); + + if ((cvarray_type == RPC_FC_C_CSTRING) || + (cvarray_type == RPC_FC_C_WSTRING)) + { + ULONG i; + /* strings must always have null terminating bytes */ + if (bufsize < esize) + { + ERR("invalid string length of %ld\n", pStubMsg->ActualCount); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + for (i = bufsize - esize; i < bufsize; i++) + if (pStubMsg->Buffer[i] != 0) + { + ERR("string not null-terminated at byte position %ld, data is 0x%x\n", + i, pStubMsg->Buffer[i]); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + } + /* copy the array data */ memcpy(*ppMemory + pCVStructFormat->memory_size, pStubMsg->Buffer, bufsize);