pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array elements (bug #8815 / CVE-2012-1182)

An anonymous researcher and Brian Gorenc (HP DVLabs) working with HP's Zero Day Initiative program have found this and notified us. metze (cherry picked from commit 586c3fab85cde3bd6a5141fbba3bb5fcb6b67ab5)
author: Stefan Metzmacher <metze@samba.org> 2012-03-15 13:07:47 +0100
committer: Karolin Seeger <kseeger@samba.org> 2012-04-10 20:35:44 +0200
commit: 7b711ce91a01dae266e4acaa5ab6487109e1264f (patch)
tree: 9fcfac200a9f639871cf068ab9ce27510a453a8e
parent: 994308c556fbaf4943e0d9c71d0c1cea0ebb5fb5 (diff)
download: samba-7b711ce91a01dae266e4acaa5ab6487109e1264f.tar.gz
1 files changed, 1 insertions, 5 deletions
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index f2d74013ea5..77223b63916 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -1111,14 +1111,10 @@ sub ParseElementPullLevel
 		}
 	} elsif ($l->{TYPE} eq "ARRAY" and 
 			not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
-		my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+		my $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
 		my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
 		my $array_name = $var_name;
 
-		if ($l->{IS_VARYING}) {
-			$length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
-		}
-
 		if (my $range = has_property($e, "range")) {
 			my ($low, $high) = split(/,/, $range, 2);
 			if ($low < 0) {
author	Stefan Metzmacher <metze@samba.org>	2012-03-15 13:07:47 +0100
committer	Karolin Seeger <kseeger@samba.org>	2012-04-10 20:35:44 +0200
commit	7b711ce91a01dae266e4acaa5ab6487109e1264f (patch)
tree	9fcfac200a9f639871cf068ab9ce27510a453a8e
parent	994308c556fbaf4943e0d9c71d0c1cea0ebb5fb5 (diff)
download	samba-7b711ce91a01dae266e4acaa5ab6487109e1264f.tar.gz