From 795842f4096501fcefc1a7f535ccc8132feb31d7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Wed, 15 Apr 2020 17:09:22 +0200
Subject: [PATCH] Fixed oob read in parallel_process_irp_create

---
 channels/parallel/client/parallel_main.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/channels/parallel/client/parallel_main.c b/channels/parallel/client/parallel_main.c
index 734cf9667..af3e82703 100644
--- a/channels/parallel/client/parallel_main.c
+++ b/channels/parallel/client/parallel_main.c
@@ -83,13 +83,19 @@ static UINT parallel_process_irp_create(PARALLEL_DEVICE* parallel, IRP* irp)
 {
 	char* path = NULL;
 	int status;
+	WCHAR* ptr;
 	UINT32 PathLength;
-	Stream_Seek(irp->input, 28);
+	if (!Stream_SafeSeek(irp->input, 28))
+		return ERROR_INVALID_DATA;
 	/* DesiredAccess(4) AllocationSize(8), FileAttributes(4) */
 	/* SharedAccess(4) CreateDisposition(4), CreateOptions(4) */
+	if (Stream_GetRemainingLength(irp->input) < 4)
+		return ERROR_INVALID_DATA;
 	Stream_Read_UINT32(irp->input, PathLength);
-	status = ConvertFromUnicode(CP_UTF8, 0, (WCHAR*)Stream_Pointer(irp->input), PathLength / 2,
-	                            &path, 0, NULL, NULL);
+	ptr = (WCHAR*)Stream_Pointer(irp->input);
+	if (!Stream_SafeSeek(irp->input, PathLength))
+		return ERROR_INVALID_DATA;
+	status = ConvertFromUnicode(CP_UTF8, 0, ptr, PathLength / 2, &path, 0, NULL, NULL);
 
 	if (status < 1)
 		if (!(path = (char*)calloc(1, 1)))