From 8668369b4f27dba9011493d8e8d40e4851743394 Mon Sep 17 00:00:00 2001
From: Rob Shearman <rob@codeweavers.com>
Date: Wed, 28 Nov 2007 15:02:39 +0000
Subject: [PATCH] rpcrt4: Fix an integer overflow in
 NdrConformantStructMarshall and NdrConformantStructUnmarshall.

---
 dlls/rpcrt4/ndr_marshall.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index cbb766db2ea..35028b4bb8c 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -3399,6 +3399,12 @@ unsigned char *  WINAPI NdrConformantStructMarshall(PMIDL_STUB_MESSAGE pStubMsg,
     TRACE("memory_size = %d\n", pCStructFormat->memory_size);
 
     bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+    if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+    {
+        ERR("integer overflow of memory_size %u with bufsize %u\n",
+            pCStructFormat->memory_size, bufsize);
+        RpcRaiseException(RPC_X_BAD_STUB_DATA);
+    }
     /* copy constant sized part of struct */
     pStubMsg->BufferMark = pStubMsg->Buffer;
     safe_copy_to_buffer(pStubMsg, pMemory, pCStructFormat->memory_size + bufsize);
@@ -3447,6 +3453,12 @@ unsigned char *  WINAPI NdrConformantStructUnmarshall(PMIDL_STUB_MESSAGE pStubMs
     TRACE("memory_size = %d\n", pCStructFormat->memory_size);
 
     bufsize = safe_multiply(esize, pStubMsg->MaxCount);
+    if (pCStructFormat->memory_size + bufsize < pCStructFormat->memory_size) /* integer overflow */
+    {
+        ERR("integer overflow of memory_size %u with bufsize %u\n",
+            pCStructFormat->memory_size, bufsize);
+        RpcRaiseException(RPC_X_BAD_STUB_DATA);
+    }
     /* work out how much memory to allocate if we need to do so */
     if (!*ppMemory || fMustAlloc)
     {
-- 
2.11.4.GIT