From 539bbf8653e0117dea139015b4b71be768e3f3d7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 9 Feb 2010 14:48:15 -0800
Subject: [PATCH 1/2] Second part of fix for bug 7063 - Samba 3.4.5 on ubuntu 8.04 64 bit - Core dumps.

Ensure we have no naked memcpy calls. This isn't a crash bug (it's
already checked in the data_blob_talloc_zero() above, but I want to
get into the pattern of having all memcpy's covered by safety checks.

Jeremy.
---
 source3/rpc_server/srv_spoolss_nt.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index e2e523d..33d47df 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -9455,7 +9455,10 @@ WERROR _spoolss_XcvData(pipes_struct *p,
 
 	*r->out.status_code = 0;
 
-	memcpy(r->out.out_data, out_data.data, out_data.length);
+	if (r->out.out_data && r->in.out_data_size && out_data.length) {
+		memcpy(r->out.out_data, out_data.data,
+			MIN(r->in.out_data_size, out_data.length));
+	}
 
 	return WERR_OK;
 }
-- 
1.6.6

From a056eb85ff8cabc05970c789abba890d914e7ecb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 9 Feb 2010 14:56:12 -0800
Subject: [PATCH 2/2] Missed one check on the memcpy for bug #7063.

Jeremy.
---
 source3/rpc_server/srv_spoolss_nt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 33d47df..7a4c9c9 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -9455,7 +9455,7 @@ WERROR _spoolss_XcvData(pipes_struct *p,
 
 	*r->out.status_code = 0;
 
-	if (r->out.out_data && r->in.out_data_size && out_data.length) {
+	if (r->out.out_data && out_data.data && r->in.out_data_size && out_data.length) {
 		memcpy(r->out.out_data, out_data.data,
 			MIN(r->in.out_data_size, out_data.length));
 	}
-- 
1.6.6