r23673: Check for integer wrap on incoming data.

Jeremy.

diff --git a/source/lib/util_reg_api.c b/source/lib/util_reg_api.c
index 8668bd881759669fd31805cb960e6b0400a59d62..a4fb0261e310940b714332044c1efea483e3b2a6 100644 (file)
--- a/source/lib/util_reg_api.c
+++ b/source/lib/util_reg_api.c
@@ -80,6 +80,12 @@ WERROR registry_pull_value(TALLOC_CTX *mem_ctx,
                        tmp[num_ucs2] = 0;
                }
 
+               if (length + 2 < length) {
+                       /* Integer wrap. */
+                       err = WERR_INVALID_PARAM;
+                       goto error;
+               }
+
                value->v.sz.len = convert_string_talloc(
                        value, CH_UTF16LE, CH_UNIX, tmp, length+2,
                        &value->v.sz.str, False);