From e70cc781b3f27bbd32a340c698912dabd7bd3142 Mon Sep 17 00:00:00 2001 From: Thomas Faber Date: Tue, 12 Aug 2014 07:52:29 +0000 Subject: [PATCH] [RPCRT4] - Correctly check for in-buffer memory in PointerFree. Fixes invalid free e.g. when calling StartService without service arguments svn path=/trunk/; revision=63871 --- reactos/dll/win32/rpcrt4/ndr_marshall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reactos/dll/win32/rpcrt4/ndr_marshall.c b/reactos/dll/win32/rpcrt4/ndr_marshall.c index 6f19cb35761..51795467e49 100644 --- a/reactos/dll/win32/rpcrt4/ndr_marshall.c +++ b/reactos/dll/win32/rpcrt4/ndr_marshall.c @@ -1120,7 +1120,7 @@ static void PointerFree(PMIDL_STUB_MESSAGE pStubMsg, * BufferStart and BufferEnd won't be reset when allocating memory for * sending the response. we don't have to check for the new buffer here as * it won't be used a type memory, only for buffer memory */ - if (Pointer >= pStubMsg->BufferStart && Pointer < pStubMsg->BufferEnd) + if (Pointer >= pStubMsg->BufferStart && Pointer <= pStubMsg->BufferEnd) goto notfree; if (attr & RPC_FC_P_ONSTACK) {