rpcrt4: Fix an integer overflow in NdrConformantStructMarshall and NdrConformantStructUnmarshall.

8668369b · Rob Shearman · Alexandre Julliard · 074898ba · 8668369b
Commit 8668369b authored Nov 28, 2007 by Rob Shearman Committed by Alexandre Julliard Nov 29, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

ndr_marshall.c dlls/rpcrt4/ndr_marshall.c +12 -0

No files found.
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -3399,6 +3399,12 @@ unsigned char *  WINAPI NdrConformantStructMarshall(PMIDL_STUB_MESSAGE pStubMsg,
    TRACE("memory_size = %d\n", pCStructFormat->memory_size);

    bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+    if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+    {
+        ERR("integer overflow of memory_size %u with bufsize %u\n",
+            pCStructFormat->memory_size, bufsize);
+        RpcRaiseException(RPC_X_BAD_STUB_DATA);
+    }
    /* copy constant sized part of struct */
    pStubMsg->BufferMark = pStubMsg->Buffer;
    safe_copy_to_buffer(pStubMsg, pMemory, pCStructFormat->memory_size + bufsize);
@@ -3447,6 +3453,12 @@ unsigned char *  WINAPI NdrConformantStructUnmarshall(PMIDL_STUB_MESSAGE pStubMs
    TRACE("memory_size = %d\n", pCStructFormat->memory_size);

    bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+    if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+    {
+        ERR("integer overflow of memory_size %u with bufsize %u\n",
+            pCStructFormat->memory_size, bufsize);
+        RpcRaiseException(RPC_X_BAD_STUB_DATA);
+    }
    /* work out how much memory to allocate if we need to do so */
    if (!*ppMemory || fMustAlloc)
    {