echo -n 'AAAAAAAAAAAAAAAAuB8ALDQgEAAAAAAAAAAAAAC4HwAtNDg3OQ==' | base64 -d | bin/ndrdump winreg 34 out
The out part of the struct is referring to the in, but the in values are all NULL.
In this case ndrdump is crashing because an out packet was presented without the in packet for context, and a size_is variable referenced a ref pointer that was not provided. It is not a security issue because in genuine callers don't do that.
It is however quite annoying for ndrdump to crash, but if we were to fake up the in packet we would instead give an incorrect parse failure, so we can't easily win here.
Removing embargo. The fix is to patch the NDR code when building the fuzzers (only) to create and zero in these 'in' ref pointers during 'out' parsing.