From 668fcb49d4856fad28f685db54a572af2a284b50 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Sat, 10 Jan 2026 09:33:54 +0100
Subject: [PATCH] [channels,rdpear] fix ndr_read checks

---
 channels/rdpear/common/ndr.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/channels/rdpear/common/ndr.c b/channels/rdpear/common/ndr.c
index d318ed63c..d0bd6d959 100644
--- a/channels/rdpear/common/ndr.c
+++ b/channels/rdpear/common/ndr.c
@@ -574,8 +574,10 @@ BOOL ndr_read_uconformant_array(NdrContext* context, wStream* s, const NdrArrayH
 	WINPR_ASSERT(itemType);
 	WINPR_ASSERT(vtarget);
 
-	UINT32 count = 0;
+	if (itemType->itemSize == 0)
+		return FALSE;
 
+	UINT32 count = 0;
 	if (!ndr_read_uint32(context, s, &count))
 		return FALSE;
 
@@ -910,6 +912,8 @@ BOOL ndr_read_pointedMessageEx(NdrContext* context, wStream* s, ndr_refid ptrId,
 	if (!ret)
 	{
 		size_t itemCount = ndr_hintsCount(descr, hints);
+		if (itemCount == 0)
+			return FALSE;
 		ret = calloc(itemCount, descr->itemSize);
 		if (!ret)
 			return FALSE;