On Wed, 2012-11-14 at 16:28 +0100, Stefan Leichter wrote:
> @@ -2053,6 +2053,8 @@ static BOOL cred_decode( const WCHAR *cred, unsigned
> int len, char *buf )
> char c0, c1, c2, c3;
> const WCHAR *p = cred;
>
> + TRACE("%s\n", debugstr_wn(cred,len));
This string is already traced in CredUnmarshalCredentialW.
> @@ -2134,6 +2136,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred,
> PCRED_MARSHAL_TYPE type, PVO
> case UsernameTargetCredential:
> {
> USERNAME_TARGET_CREDENTIAL_INFO *target;
> + ULONGLONG size = 0;
>
> if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) || !size
> || size % sizeof(WCHAR))
> {
You should also perform a sanity check on 'size' to avoid overflow in
calculations that follow.
