Module: wine Branch: refs/heads/master Commit: cec6092aa293469f18431e2d5158b88df4b0c98a URL: http://source.winehq.org/git/?p=wine.git;a=commit;h=cec6092aa293469f18431e2d...

Author: Robert Shearman rob@codeweavers.com Date: Sat Jun 10 12:32:01 2006 +0100

rpcrt4: Raise an exception during unmarshaling if a conformant string isn't null-terminated.

---

dlls/rpcrt4/ndr_marshall.c | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index 8fbb61f..2990f16 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -667,7 +667,7 @@ unsigned long WINAPI NdrConformantString unsigned char *WINAPI NdrConformantStringUnmarshall( PMIDL_STUB_MESSAGE pStubMsg, unsigned char** ppMemory, PFORMAT_STRING pFormat, unsigned char fMustAlloc ) { - unsigned long size, esize; + ULONG size, esize, i;

TRACE("(pStubMsg == ^%p, *pMemory == ^%p, pFormat == ^%p, fMustAlloc == %u)\n", pStubMsg, *ppMemory, pFormat, fMustAlloc); @@ -687,6 +687,22 @@ unsigned char *WINAPI NdrConformantStrin

size = safe_multiply(esize, pStubMsg->ActualCount);

+ /* strings must always have null terminating bytes */ + if (size < esize) + { + ERR("invalid string length of %ld\n", pStubMsg->ActualCount); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + for (i = size - esize; i < size; i++) + if (pStubMsg->Buffer[i] != 0) + { + ERR("string not null-terminated at byte position %ld, data is 0x%x\n", + i, pStubMsg->Buffer[i]); + RpcRaiseException(RPC_S_INVALID_BOUND); + return NULL; + } + if (fMustAlloc || !*ppMemory) *ppMemory = NdrAllocate(pStubMsg, size);