From 613ee6d01c2bcea446c1792ef57a18afbbe0a8a4 Mon Sep 17 00:00:00 2001
From: Robert Shearman <rob@codeweavers.com>
Date: Sat, 10 Jun 2006 12:32:35 +0100
Subject: [PATCH] rpcrt4: Check that strings are null-terminated on
 unmarshaling of conformant-varying structs.

---
 dlls/rpcrt4/ndr_marshall.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 26d430bc397..58bcd25172a 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -3202,6 +3202,28 @@ unsigned char *  WINAPI NdrConformantVaryingStructUnmarshall(PMIDL_STUB_MESSAGE
     pCVArrayFormat = ReadVariance(pStubMsg, pCVArrayFormat);
 
     bufsize = safe_multiply(esize, pStubMsg->ActualCount);
+
+    if ((cvarray_type == RPC_FC_C_CSTRING) ||
+        (cvarray_type == RPC_FC_C_WSTRING))
+    {
+        ULONG i;
+        /* strings must always have null terminating bytes */
+        if (bufsize < esize)
+        {
+            ERR("invalid string length of %ld\n", pStubMsg->ActualCount);
+            RpcRaiseException(RPC_S_INVALID_BOUND);
+            return NULL;
+        }
+        for (i = bufsize - esize; i < bufsize; i++)
+            if (pStubMsg->Buffer[i] != 0)
+            {
+                ERR("string not null-terminated at byte position %ld, data is 0x%x\n",
+                    i, pStubMsg->Buffer[i]);
+                RpcRaiseException(RPC_S_INVALID_BOUND);
+                return NULL;
+            }
+    }
+
     /* copy the array data */
     memcpy(*ppMemory + pCVStructFormat->memory_size, pStubMsg->Buffer,
            bufsize);