Module: wine Branch: refs/heads/master Commit: 8dea3c2aa866bb3f5e24d12b43712c524e8b8fa8 URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=8dea3c2aa866bb3f5e24d12b...
Author: Robert Shearman rob@codeweavers.com Date: Sat Jun 10 12:32:47 2006 +0100
rpcrt4: Pass in a maximum variance value to ReadVariance to allow us
to validate the conformance values being read from the wire.
---
dlls/rpcrt4/ndr_marshall.c | 40 +++++++++++++++++++--------------------- 1 files changed, 19 insertions(+), 21 deletions(-)
diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index 58bcd25..50d3871 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -332,7 +332,7 @@ static PFORMAT_STRING ReadConformance(MI return pFormat+4; }
-static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat) +static inline PFORMAT_STRING ReadVariance(MIDL_STUB_MESSAGE *pStubMsg, PFORMAT_STRING pFormat, ULONG MaxValue) { if (pFormat && !IsConformanceOrVariancePresent(pFormat)) { @@ -349,6 +349,15 @@ static inline PFORMAT_STRING ReadVarianc pStubMsg->Buffer += 4; TRACE("variance is %ld\n", pStubMsg->ActualCount);
+ if ((pStubMsg->ActualCount > MaxValue) || + (pStubMsg->ActualCount + pStubMsg->Offset > MaxValue)) + { + ERR("invalid array bound(s): ActualCount = %ld, Offset = %ld, MaxValue = %ld\n", + pStubMsg->ActualCount, pStubMsg->Offset, MaxValue); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + done: if (pStubMsg->fHasNewCorrDesc) return pFormat+6; @@ -675,7 +684,7 @@ unsigned char *WINAPI NdrConformantStrin assert(pFormat && ppMemory && pStubMsg);
ReadConformance(pStubMsg, NULL); - ReadVariance(pStubMsg, NULL); + ReadVariance(pStubMsg, NULL, pStubMsg->MaxCount);
if (*pFormat == RPC_FC_C_CSTRING) esize = 1; else if (*pFormat == RPC_FC_C_WSTRING) esize = 2; @@ -2365,11 +2374,12 @@ unsigned char* WINAPI NdrConformantVaryi }
pFormat = ReadConformance(pStubMsg, pFormat+4); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
bufsize = safe_multiply(esize, pStubMsg->ActualCount); + TRACE("esize = %ld, pStubMsg->MaxCount = %ld, result = %ld\n", esize, pStubMsg->MaxCount, esize * pStubMsg->MaxCount); memsize = safe_multiply(esize, pStubMsg->MaxCount);
if (!*ppMemory || fMustAlloc) @@ -2525,7 +2535,7 @@ unsigned char * WINAPI NdrComplexArrayUn pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
Buffer = pStubMsg->Buffer; esize = ComplexStructMemorySize(pStubMsg, pFormat); @@ -2618,7 +2628,7 @@ unsigned long WINAPI NdrComplexArrayMemo pFormat += 4;
pFormat = ReadConformance(pStubMsg, pFormat); - pFormat = ReadVariance(pStubMsg, pFormat); + pFormat = ReadVariance(pStubMsg, pFormat, pStubMsg->MaxCount);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
@@ -3199,7 +3209,7 @@ unsigned char * WINAPI NdrConformantVar memcpy(*ppMemory, pStubMsg->Buffer, pCVStructFormat->memory_size); pStubMsg->Buffer += pCVStructFormat->memory_size;
- pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat); + pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount);
bufsize = safe_multiply(esize, pStubMsg->ActualCount);
@@ -3366,7 +3376,7 @@ unsigned long WINAPI NdrConformantVaryin TRACE("memory_size = %d\n", pCVStructFormat->memory_size);
pStubMsg->Buffer += pCVStructFormat->memory_size; - pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat); + pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat, pStubMsg->MaxCount); pStubMsg->Buffer += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->ActualCount);
pStubMsg->MemorySize += pCVStructFormat->memory_size + safe_multiply(esize, pStubMsg->MaxCount); @@ -3757,13 +3767,7 @@ unsigned char * WINAPI NdrVaryingArrayU esize = *(const WORD*)pFormat; pFormat += sizeof(WORD);
- pFormat = ReadVariance(pStubMsg, pFormat); - if ((pStubMsg->ActualCount > elements) || - (pStubMsg->ActualCount + pStubMsg->Offset > elements)) - { - RpcRaiseException(RPC_S_INVALID_BOUND); - return NULL; - } + pFormat = ReadVariance(pStubMsg, pFormat, elements);
ALIGN_POINTER(pStubMsg->Buffer, alignment);
@@ -3877,13 +3881,7 @@ unsigned long WINAPI NdrVaryingArrayMemo esize = *(const WORD*)pFormat; pFormat += sizeof(WORD);
- pFormat = ReadVariance(pStubMsg, pFormat); - if ((pStubMsg->ActualCount > elements) || - (pStubMsg->ActualCount + pStubMsg->Offset > elements)) - { - RpcRaiseException(RPC_S_INVALID_BOUND); - return 0; - } + pFormat = ReadVariance(pStubMsg, pFormat, elements);
ALIGN_POINTER(pStubMsg->Buffer, alignment);