Module: wine Branch: master Commit: aec7befb5115d866724149bbc5576c7259fef820 URL: https://source.winehq.org/git/wine.git/?a=commit;h=aec7befb5115d866724149bbc...
Author: Alexandre Julliard julliard@winehq.org Date: Tue Sep 18 20:17:54 2018 +0200
server: Avoid potential size overflow for empty object attributes.
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
server/request.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/server/request.c b/server/request.c index 6120bc5..77f4f71 100644 --- a/server/request.c +++ b/server/request.c @@ -166,12 +166,13 @@ void *set_reply_data_size( data_size_t size ) return current->reply_data; }
+static const struct object_attributes empty_attributes; + /* return object attributes from the current request */ const struct object_attributes *get_req_object_attributes( const struct security_descriptor **sd, struct unicode_str *name, struct object **root ) { - static const struct object_attributes empty_attributes; const struct object_attributes *attr = get_req_data(); data_size_t size = get_req_data_size();
@@ -213,8 +214,14 @@ const struct object_attributes *get_req_object_attributes( const struct security /* return a pointer to the request data following an object attributes structure */ const void *get_req_data_after_objattr( const struct object_attributes *attr, data_size_t *len ) { - const void *ptr = (const WCHAR *)((const struct object_attributes *)get_req_data() + 1) + - attr->sd_len / sizeof(WCHAR) + attr->name_len / sizeof(WCHAR); + const void *ptr; + + if (attr == &empty_attributes) + { + *len = 0; + return NULL; + } + ptr = (const WCHAR *)(attr + 1) + attr->sd_len / sizeof(WCHAR) + attr->name_len / sizeof(WCHAR); *len = get_req_data_size() - ((const char *)ptr - (const char *)get_req_data()); return ptr; }
-
Alexandre Julliard