Re: oleaut32: Handle xbuf_get erroring out in deserialize_param (and avoid uninitialized read). - wine-devel

20 Sep 2016

Gerald Pfeifer gerald@pfeifer.com wrote:
...

--- a/dlls/oleaut32/tmarshal.c
+++ b/dlls/oleaut32/tmarshal.c
@@ -1078,7 +1078,10 @@ deserialize_param(
       if (readit) {
   	DWORD x;
   	hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD));

if (hres) ERR("Failed to read integer 4 byte\n");




if (hres) {


    ERR("Failed to read integer 4 byte\n");


    x = 0;


}

memcpy(arg,&x,2);
  }
  if (debugout) TRACE_(olerelay)("%04x",*arg & 0xffff);

@@ -1088,7 +1091,10 @@ deserialize_param(
       if (readit) {
   	DWORD x;
   	hres = xbuf_get(buf,(LPBYTE)&x,sizeof(DWORD));

if (hres) ERR("Failed to read integer 4 byte\n");




if (hres) {


    ERR("Failed to read integer 4 byte\n");


    x = 0;


}

memcpy(arg,&x,1);

A proper fix would be to avoid a memcpy() if xbuf_get() fails instead
of creating bogus input data.
-- 
Dmitry.


    