From 37313598af769f3e9fbe463c2abb6af1ebabfa21 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 15 Mar 2012 13:07:47 +0100
Subject: pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of
 array elements (bug #8815 / CVE-2012-1182)

An anonymous researcher and Brian Gorenc (HP DVLabs) working
with HP's Zero Day Initiative program have found this and notified us.

metze
---
 pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'pidl')

diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index eaf673bbd7..fe93ae19a4 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1157,14 +1157,10 @@ sub ParseElementPullLevel
 		}
 	} elsif ($l->{TYPE} eq "ARRAY" and 
 			not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
-		my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+		my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
 		my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
 		my $array_name = $var_name;
 
-		if ($l->{IS_VARYING}) {
-			$length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
-		}
-
 		if (my $range = has_property($e, "range")) {
 			my ($low, $high) = split(/,/, $range, 2);
 			if ($low < 0) {
-- 
cgit