We were accidentally checking the memory just past the array instead of
checking each member.
This could have led to the size of some arrays not being checked.
Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's
NDR layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13877
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
if ($deferred and ContainsDeferred($e, $l)) {
$self->pidl("for ($counter = 0; $counter < ($length); $counter++) {");
+ $self->defer("for ($counter = 0; $counter < ($length); $counter++) {");
+ $self->defer_indent;
$self->indent;
$self->ParseElementPullLevel($e,GetNextLevel($e,$l), $ndr, $var_name, $env, 0, 1);
$self->deindent;
+ $self->defer_deindent;
$self->pidl("}");
+ $self->defer("}");
}
$self->ParseMemCtxPullEnd($e, $l, $ndr);
+++ /dev/null
-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_clusapi_QueryAllValues
\ No newline at end of file
git.samba.org / amitay / samba.git / commitdiff