Author: tfaber Date: Tue Aug 12 07:52:29 2014 New Revision: 63871 URL: http://svn.reactos.org/svn/reactos?rev=63871&view=rev Log: [RPCRT4] - Correctly check for in-buffer memory in PointerFree. Fixes invalid free e.g. when calling StartService without service arguments Modified: trunk/reactos/dll/win32/rpcrt4/ndr_marshall.c Modified: trunk/reactos/dll/win32/rpcrt4/ndr_marshall.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/rpcrt4/ndr_marsh… ============================================================================== --- trunk/reactos/dll/win32/rpcrt4/ndr_marshall.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/rpcrt4/ndr_marshall.c [iso-8859-1] Tue Aug 12 07:52:29 2014 @@ -1120,7 +1120,7 @@ * BufferStart and BufferEnd won't be reset when allocating memory for * sending the response. we don't have to check for the new buffer here as * it won't be used a type memory, only for buffer memory */ - if (Pointer >= pStubMsg->BufferStart && Pointer < pStubMsg->BufferEnd) + if (Pointer >= pStubMsg->BufferStart && Pointer <= pStubMsg->BufferEnd) goto notfree; if (attr & RPC_FC_P_ONSTACK) {