From 95bb2c23e6e9c52a1e34916dff05b1d306278bc6 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 29 Sep 2011 18:06:56 +0200
Subject: s3:registry: fix the test for a REG_SZ blob possibly being a zero
 terminated ucs2 string

1. catch data blobs with odd number of bytes (not an ucs2 string at all)
2. test the right ucs2 character to be 0
   (prevent out-of bounds access/potential segfault)

Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Sun Oct  2 01:26:05 CEST 2011 on sn-devel-104
---
 source3/registry/reg_format.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/source3/registry/reg_format.c b/source3/registry/reg_format.c
index 77a27fcc0a..db03961919 100644
--- a/source3/registry/reg_format.c
+++ b/source3/registry/reg_format.c
@@ -329,7 +329,16 @@ done:
 static bool is_zero_terminated_ucs2(const uint8_t* data, size_t len) {
 	const size_t idx = len/sizeof(smb_ucs2_t);
 	const smb_ucs2_t *str = (const smb_ucs2_t*)data;
-	return (idx > 0) && (str[idx] == 0);
+
+	if ((len % sizeof(smb_ucs2_t)) != 0) {
+		return false;
+	}
+
+	if (idx == 0) {
+		return false;
+	}
+
+	return (str[idx-1] == 0);
 }
 
 int reg_format_value(struct reg_format* f, const char* name, uint32_t type,
-- 
cgit