From 6754c35589709c033d30ca593de90fa55f25b4e4 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Fri, 28 Mar 2014 10:21:06 +0100
Subject: [PATCH] advapi32: Fix uneven length handling in
 CredUnmarshalCredential.

---
 dlls/advapi32/cred.c       |  2 +-
 dlls/advapi32/tests/cred.c | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/dlls/advapi32/cred.c b/dlls/advapi32/cred.c
index 9ecfaee3b05..fdd56450172 100644
--- a/dlls/advapi32/cred.c
+++ b/dlls/advapi32/cred.c
@@ -2100,7 +2100,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred, PCRED_MARSHAL_TYPE type, PVO
         DWORD size;
 
         if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
-            !size || size % sizeof(WCHAR) || size > INT_MAX)
+            size % sizeof(WCHAR) || len - 6 != (size * 4 + 2) / 3)
         {
             SetLastError( ERROR_INVALID_PARAMETER );
             return FALSE;
diff --git a/dlls/advapi32/tests/cred.c b/dlls/advapi32/tests/cred.c
index de05e30fb40..0ee08ef3a81 100644
--- a/dlls/advapi32/tests/cred.c
+++ b/dlls/advapi32/tests/cred.c
@@ -566,6 +566,8 @@ static void test_CredUnmarshalCredentialA(void)
     static const UCHAR cert_empty[CERT_HASH_LENGTH] = {0};
     static const UCHAR cert_wine[CERT_HASH_LENGTH] = {'W','i','n','e',0};
     static const WCHAR tW[] = {'t',0};
+    static const WCHAR teW[] = {'t','e',0};
+    static const WCHAR tesW[] = {'t','e','s',0};
     static const WCHAR testW[] = {'t','e','s','t',0};
     void *p;
     CERT_CREDENTIAL_INFO *cert;
@@ -593,6 +595,8 @@ static void test_CredUnmarshalCredentialA(void)
         { "@@-", 63, NULL },
         { "@@B", CertCredential, NULL },
         { "@@BA", CertCredential, NULL },
+        { "@@BAAAAAAAAAAAAAAAAAAAAAAAAAA", CertCredential, NULL },
+        { "@@BAAAAAAAAAAAAAAAAAAAAAAAAAAAA", CertCredential, NULL },
         { "@@BAAAAAAAAAAAAAAAAAAAAAAAAAAA", CertCredential, cert_empty },
         { "@@BXlmblBAAAAAAAAAAAAAAAAAAAAA", CertCredential, cert_wine },
         { "@@C", UsernameTargetCredential, NULL },
@@ -601,6 +605,20 @@ static void test_CredUnmarshalCredentialA(void)
         { "@@CAAAAAA0B", UsernameTargetCredential, NULL },
         { "@@CAAAAAA0BA", UsernameTargetCredential, NULL },
         { "@@CCAAAAA0BA", UsernameTargetCredential, tW },
+        { "@@CEAAAAA0BA", UsernameTargetCredential, NULL },
+        { "@@CEAAAAA0BAd", UsernameTargetCredential, NULL },
+        { "@@CEAAAAA0BAdA", UsernameTargetCredential, NULL },
+        { "@@CEAAAAA0BQZAA", UsernameTargetCredential, teW },
+        { "@@CEAAAAA0BQZAQ", UsernameTargetCredential, teW },
+        { "@@CEAAAAA0BQZAg", UsernameTargetCredential, teW },
+        { "@@CEAAAAA0BQZAw", UsernameTargetCredential, teW },
+        { "@@CEAAAAA0BQZAAA", UsernameTargetCredential, NULL },
+        { "@@CGAAAAA0BQZAMH", UsernameTargetCredential, NULL },
+        { "@@CGAAAAA0BQZAMHA", UsernameTargetCredential, tesW },
+        { "@@CGAAAAA0BQZAMHAA", UsernameTargetCredential, NULL },
+        { "@@CCAAAAA0BAA", UsernameTargetCredential, NULL },
+        { "@@CBAAAAA0BAA", UsernameTargetCredential, NULL },
+        { "@@CAgAAAA0BAA", UsernameTargetCredential, NULL },
         { "@@CIAAAAA0BQZAMHA0BA", UsernameTargetCredential, testW },
         { "@@CA-----0BQZAMHA0BA", UsernameTargetCredential, NULL },
     };