dplayx: Check ENUMSESSIONSREPLY size before access.

dlls/dplayx/dplay.c

@@ -347,6 +347,7 @@ HRESULT DP_HandleMessage( IDirectPlayImpl *This, const void *lpcMessageBody,
       NS_AddRemoteComputerAsNameServer( lpcMessageHeader,
                                         This->dp2->spData.dwSPHeaderSize,
                                         lpcMessageBody,
+                                        dwMessageBodySize,
                                         This->dp2->lpNameServerData );
 
       LeaveCriticalSection( &This->lock );

dlls/dplayx/name_server.c

@@ -89,14 +89,25 @@ static DPQ_DECL_COMPARECB( cbUglyPig, GUID )
 void NS_AddRemoteComputerAsNameServer( LPCVOID                      lpcNSAddrHdr,
                                        DWORD                        dwHdrSize,
                                        LPCDPMSG_ENUMSESSIONSREPLY   lpcMsg,
+                                       DWORD                        msgSize,
                                        LPVOID                       lpNSInfo )
 {
   DWORD len;
   lpNSCache     lpCache = (lpNSCache)lpNSInfo;
   lpNSCacheData lpCacheNode;
+  DWORD maxNameLength;
+  DWORD nameLength;
 
   TRACE( "%p, %p, %p\n", lpcNSAddrHdr, lpcMsg, lpNSInfo );
 
+  if ( msgSize < sizeof( DPMSG_ENUMSESSIONSREPLY ) + sizeof( WCHAR ) )
+    return;
+
+  maxNameLength = (msgSize - sizeof( DPMSG_ENUMSESSIONSREPLY )) / sizeof( WCHAR );
+  nameLength = wcsnlen( (WCHAR *) (lpcMsg + 1), maxNameLength );
+  if ( nameLength == maxNameLength )
+    return;
+
   /* See if we can find this session. If we can, remove it as it's a dup */
   DPQ_REMOVE_ENTRY_CB( lpCache->first, next, data->guidInstance, cbUglyPig,
                        lpcMsg->sd.guidInstance, lpCacheNode );

dlls/dplayx/name_server.h

@@ -32,6 +32,7 @@ void NS_SetLocalComputerAsNameServer( LPCDPSESSIONDESC2 lpsd, LPVOID lpNSInfo );
 void NS_AddRemoteComputerAsNameServer( LPCVOID lpNSAddrHdr,
                                        DWORD dwHdrSize,
                                        LPCDPMSG_ENUMSESSIONSREPLY lpcMsg,
+                                       DWORD msgSize,
                                        LPVOID lpNSInfo );
 LPVOID NS_GetNSAddr( LPVOID lpNSInfo );
 DWORD NS_GetNsMagic( LPVOID lpNSInfo );