Module: wine Branch: master Commit: 8668369b4f27dba9011493d8e8d40e4851743394 URL: http://source.winehq.org/git/wine.git/?a=commit;h=8668369b4f27dba9011493d8e8...

Author: Rob Shearman rob@codeweavers.com Date: Wed Nov 28 15:02:39 2007 +0000

rpcrt4: Fix an integer overflow in NdrConformantStructMarshall and NdrConformantStructUnmarshall.

---

dlls/rpcrt4/ndr_marshall.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c index cbb766d..35028b4 100644 --- a/dlls/rpcrt4/ndr_marshall.c +++ b/dlls/rpcrt4/ndr_marshall.c @@ -3399,6 +3399,12 @@ unsigned char * WINAPI NdrConformantStructMarshall(PMIDL_STUB_MESSAGE pStubMsg, TRACE("memory_size = %d\n", pCStructFormat->memory_size);

bufsize = safe_multiply(esize, pStubMsg->MaxCount); + if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */ + { + ERR("integer overflow of memory_size %u with bufsize %u\n", + pCStructFormat->memory_size, bufsize); + RpcRaiseException(RPC_X_BAD_STUB_DATA); + } /* copy constant sized part of struct */ pStubMsg->BufferMark = pStubMsg->Buffer; safe_copy_to_buffer(pStubMsg, pMemory, pCStructFormat->memory_size + bufsize); @@ -3447,6 +3453,12 @@ unsigned char * WINAPI NdrConformantStructUnmarshall(PMIDL_STUB_MESSAGE pStubMs TRACE("memory_size = %d\n", pCStructFormat->memory_size);

bufsize = safe_multiply(esize, pStubMsg->MaxCount); + if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */ + { + ERR("integer overflow of memory_size %u with bufsize %u\n", + pCStructFormat->memory_size, bufsize); + RpcRaiseException(RPC_X_BAD_STUB_DATA); + } /* work out how much memory to allocate if we need to do so */ if (!*ppMemory || fMustAlloc) {