1 files changed, 18 insertions, 3 deletions

diff --git a/librpc/gen_ndr/cli_winreg.c b/librpc/gen_ndr/cli_winreg.c
index c5d19be5f1f..93f969d34f3 100644
--- a/librpc/gen_ndr/cli_winreg.c
+++ b/librpc/gen_ndr/cli_winreg.c
@@ -544,7 +544,13 @@ NTSTATUS rpccli_winreg_EnumValue(struct rpc_pipe_client *cli,
 		*type = *r.out.type;
 	}
 	if (value && r.out.value) {
-		memcpy(value, r.out.value, (*r.in.size) * sizeof(*value));
+		if ((*r.out.size) > (*r.in.size)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+		if ((*r.out.length) > (*r.out.size)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+		memcpy(value, r.out.value, (*r.out.length) * sizeof(*value));
 	}
 	if (size && r.out.size) {
 		*size = *r.out.size;
@@ -915,7 +921,13 @@ NTSTATUS rpccli_winreg_QueryValue(struct rpc_pipe_client *cli,
 		*type = *r.out.type;
 	}
 	if (data && r.out.data) {
-		memcpy(data, r.out.data, (*r.in.data_size) * sizeof(*data));
+		if ((*r.out.data_size) > (*r.in.data_size)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+		if ((*r.out.data_length) > (*r.out.data_size)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+		memcpy(data, r.out.data, (*r.out.data_length) * sizeof(*data));
 	}
 	if (data_size && r.out.data_size) {
 		*data_size = *r.out.data_size;
@@ -1483,7 +1495,10 @@ NTSTATUS rpccli_winreg_QueryMultipleValues(struct rpc_pipe_client *cli,
 	/* Return variables */
 	memcpy(values, r.out.values, (r.in.num_values) * sizeof(*values));
 	if (buffer && r.out.buffer) {
-		memcpy(buffer, r.out.buffer, (*r.in.buffer_size) * sizeof(*buffer));
+		if ((*r.out.buffer_size) > (*r.in.buffer_size)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+		memcpy(buffer, r.out.buffer, (*r.out.buffer_size) * sizeof(*buffer));
 	}
 	*buffer_size = *r.out.buffer_size;