From 23981241c1a496399e8fa67544e16b9eb32dea62 Mon Sep 17 00:00:00 2001
From: Eric Kohl <eric.kohl@t-online.de>
Date: Thu, 18 Sep 2014 14:22:20 +0200
Subject: [PATCH] rpcrt4: Fix buffer size calculation for arrays with embedded
 pointers.

---
 dlls/rpcrt4/ndr_marshall.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dlls/rpcrt4/ndr_marshall.c b/dlls/rpcrt4/ndr_marshall.c
index 3f1762a6a06..0cb41bc64f5 100644
--- a/dlls/rpcrt4/ndr_marshall.c
+++ b/dlls/rpcrt4/ndr_marshall.c
@@ -1211,7 +1211,7 @@ static unsigned char * EmbeddedPointerMarshall(PMIDL_STUB_MESSAGE pStubMsg,
         unsigned char *bufptr = bufbase + *(const SHORT*)&info[2];
         unsigned char *saved_memory = pStubMsg->Memory;
 
-        pStubMsg->Memory = pMemory;
+        pStubMsg->Memory = membase;
         PointerMarshall(pStubMsg, bufptr, *(unsigned char**)memptr, info+4);
         pStubMsg->Memory = saved_memory;
       }
@@ -1365,7 +1365,7 @@ static void EmbeddedPointerBufferSize(PMIDL_STUB_MESSAGE pStubMsg,
         unsigned char *memptr = membase + *(const SHORT*)&info[0];
         unsigned char *saved_memory = pStubMsg->Memory;
 
-        pStubMsg->Memory = pMemory;
+        pStubMsg->Memory = membase;
         PointerBufferSize(pStubMsg, *(unsigned char**)memptr, info+4);
         pStubMsg->Memory = saved_memory;
       }
@@ -1497,7 +1497,7 @@ static void EmbeddedPointerFree(PMIDL_STUB_MESSAGE pStubMsg,
         unsigned char *memptr = membase + *(const SHORT*)&info[0];
         unsigned char *saved_memory = pStubMsg->Memory;
 
-        pStubMsg->Memory = pMemory;
+        pStubMsg->Memory = membase;
         PointerFree(pStubMsg, *(unsigned char**)memptr, info+4);
         pStubMsg->Memory = saved_memory;
       }
-- 
2.11.4.GIT