Google Git
Sign in
goma/wine/613ee6d01c2bcea446c1792ef57a18afbbe0a8a4^!/.
commit
613ee6d01c2bcea446c1792ef57a18afbbe0a8a4
[log]
author
Robert Shearman <rob@codeweavers.com>
Sat Jun 10 12:32:35 2006 +0100
committer
Alexandre Julliard <julliard@winehq.org>
Mon Jun 12 13:21:46 2006 +0200
tree
1318a89911f136698a4fd7954a0a2c9d49c3e8b2
parent
a946eb420bc6c987c6072f3c24439737eb57224b [diff]
rpcrt4: Check that strings are null-terminated on unmarshaling of conformant-varying structs.

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 26d430b..58bcd25 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c

@@ -3202,6 +3202,28 @@
     pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
 
     bufsize = safe_multiply(esize, pStubMsg->ActualCount);
+
+    if ((cvarray_type == RPC_FC_C_CSTRING) ||
+        (cvarray_type == RPC_FC_C_WSTRING))
+    {
+        ULONG i;
+        /* strings must always have null terminating bytes */
+        if (bufsize < esize)
+        {
+            ERR("invalid string length of %ld\n", pStubMsg->ActualCount);
+            RpcRaiseException(RPC_S_INVALID_BOUND);
+            return NULL;
+        }
+        for (i = bufsize - esize; i < bufsize; i++)
+            if (pStubMsg->Buffer[i] != 0)
+            {
+                ERR("string not null-terminated at byte position %ld, data is 0x%x\n",
+                    i, pStubMsg->Buffer[i]);
+                RpcRaiseException(RPC_S_INVALID_BOUND);
+                return NULL;
+            }
+    }
+
     /* copy the array data */
     memcpy(*ppMemory + pCVStructFormat->memory_size, pStubMsg->Buffer,
            bufsize);