Module: wine Branch: refs/heads/master Commit: 2e875d5d351b992ab3cab42420f2c4db69cfca00 URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=2e875d5d351b992ab3cab424...
Author: Robert Shearman rob@codeweavers.com Date: Mon Jan 9 17:20:19 2006 +0100
rpcrt4: Validate complex array format string. Verify that the format string being passed into the complex array functions is a complex array one.
---
dlls/rpcrt4/ndr_marshall.c | 35 +++++++++++++++++++++++++++++++++++ 1 files changed, 35 insertions(+), 0 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index 0df9bed..def590d 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -2098,6 +2098,13 @@ unsigned char * WINAPI NdrComplexArrayMa
TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
+ if (pFormat[0] != RPC_FC_BOGUS_ARRAY) + { + ERR("invalid format type %x\n", pFormat[0]); + RpcRaiseException(RPC_S_INTERNAL_ERROR); + return NULL; + } + def = *(const WORD*)&pFormat[2]; pFormat += 4;
@@ -2139,6 +2146,13 @@ unsigned char * WINAPI NdrComplexArrayUn
TRACE("(%p,%p,%p,%d)\n", pStubMsg, ppMemory, pFormat, fMustAlloc);
+ if (pFormat[0] != RPC_FC_BOGUS_ARRAY) + { + ERR("invalid format type %x\n", pFormat[0]); + RpcRaiseException(RPC_S_INTERNAL_ERROR); + return NULL; + } + pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat); @@ -2180,6 +2194,13 @@ void WINAPI NdrComplexArrayBufferSize(PM
TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
+ if (pFormat[0] != RPC_FC_BOGUS_ARRAY) + { + ERR("invalid format type %x\n", pFormat[0]); + RpcRaiseException(RPC_S_INTERNAL_ERROR); + return; + } + def = *(const WORD*)&pFormat[2]; pFormat += 4;
@@ -2207,6 +2228,13 @@ unsigned long WINAPI NdrComplexArrayMemo DWORD size = 0; FIXME("(%p,%p): stub\n", pStubMsg, pFormat);
+ if (pFormat[0] != RPC_FC_BOGUS_ARRAY) + { + ERR("invalid format type %x\n", pFormat[0]); + RpcRaiseException(RPC_S_INTERNAL_ERROR); + return 0; + } + pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat); @@ -2229,6 +2257,13 @@ void WINAPI NdrComplexArrayFree(PMIDL_ST
TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat);
+ if (pFormat[0] != RPC_FC_BOGUS_ARRAY) + { + ERR("invalid format type %x\n", pFormat[0]); + RpcRaiseException(RPC_S_INTERNAL_ERROR); + return; + } + def = *(const WORD*)&pFormat[2]; pFormat += 4;