mapi_lib: fix out-of-bounds access in PROBLEM_ARRAY::transform

Triggerable upon performing an online-mode search in OL2019.

==93973==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000087734 at pc 0x7ff932e5635f bp 0x7ff8a79fd240 sp
0x7ff8a79fd238
READ of size 2 at 0x502000087734 thread T73
    f0 PROBLEM_ARRAY::transform(unsigned short const*) lib/mapi/element_data.cpp:407
    f1 folder_object::set_properties(TPROPVAL_ARRAY const*, PROBLEM_ARRAY*) exch/emsmdb/folder_object.cpp:522
    f2 rop_setproperties(TPROPVAL_ARRAY const*, PROBLEM_ARRAY*, LOGMAP*, unsigned char, unsigned int) exch/emsmdb/oxcprpt.cpp:385
    f3 rop_dispatch(rop_request const&, rop_response*&, unsigned int*, unsigned char) exch/emsmdb/rop_dispatch.cpp:1062

0x502000087734 is located 2 bytes after 2-byte region [0x502000087730,0x502000087732)
allocated by thread T73 here:
    f0 operator new[](unsigned long) (/lib64/libasan.so.8)
    f1 std::__detail::_MakeUniq<char []>::__array std::make_unique<char []>(unsigned long) /usr/include/c++/13/bits/unique_ptr.h:1085
    f2 alloc_context::alloc(unsigned long) include/gromox/util.hpp:39
    f3 pdu_processor_ndr_stack_alloc(int, unsigned long) exch/http/pdu_processor.cpp:162
    f4 emsmdb::common_util_alloc(unsigned long) exch/emsmdb/common_util.cpp:88
    f5 unsigned short* emsmdb::cu_alloc<unsigned short>(unsigned long) exch/emsmdb/common_util.hpp:37
    f6 folder_object::set_properties(TPROPVAL_ARRAY const*, PROBLEM_ARRAY*) exch/emsmdb/folder_object.cpp:482
    f7 rop_setproperties(TPROPVAL_ARRAY const*, PROBLEM_ARRAY*, LOGMAP*, unsigned char, unsigned int) exch/emsmdb/oxcprpt.cpp:385
    f8 rop_dispatch(rop_request const&, rop_response*&, unsigned int*, unsigned char) exch/emsmdb/rop_dispatch.cpp:1062

According to this report, poriginal_indices must have been a
1-element array and tmp_propvals 5-element, of which the 3rd,
PR_CHANGE_KEY, (somewhat mysteriously) was reported in PROBLEM_ARRAY.

Fixes: gromox-0~666
References: GXL-503, DESK-2209

Author: jengelh

exch/emsmdb/attachment_object.cpp

@@ -1,10 +1,13 @@
 // SPDX-License-Identifier: GPL-2.0-only WITH linking exception
+// SPDX-FileCopyrightText: 2021–2024 grommunio GmbH
+// This file is part of Gromox.
 #include <climits>
 #include <cstdint>
 #include <cstdlib>
 #include <cstring>
 #include <memory>
 #include <utility>
+#include <vector>
 #include <gromox/defs.h>
 #include <gromox/mapidefs.h>
 #include <gromox/proptag_array.hpp>
@@ -16,6 +19,8 @@
 #include "message_object.hpp"
 #include "stream_object.hpp"
 
+using namespace gromox;
+
 static constexpr uint32_t indet_rendering_pos = UINT32_MAX;
 
 std::unique_ptr<attachment_object> attachment_object::create(message_object *pparent,
@@ -316,7 +321,7 @@ static bool ao_has_open_streams(attachment_object *at, uint32_t proptag)
 }
 
 BOOL attachment_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
-    PROBLEM_ARRAY *pproblems)
+    PROBLEM_ARRAY *pproblems) try
 {
 	auto pattachment = this;
 	PROBLEM_ARRAY tmp_problems;
@@ -330,18 +335,16 @@ BOOL attachment_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 	tmp_propvals.ppropval = cu_alloc<TAGGED_PROPVAL>(ppropvals->count);
 	if (tmp_propvals.ppropval == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(ppropvals->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
+	std::vector<uint16_t> poriginal_indices;
 	for (unsigned int i = 0; i < ppropvals->count; ++i) {
 		const auto &pv = ppropvals->ppropval[i];
 		if (is_readonly_prop(pv.proptag) ||
 		    ao_has_open_streams(pattachment, pv.proptag)) {
 			pproblems->emplace_back(i, pv.proptag, ecAccessDenied);
 			continue;
 		}
-		tmp_propvals.ppropval[tmp_propvals.count] = pv;
-		poriginal_indices[tmp_propvals.count++] = i;
+		tmp_propvals.ppropval[tmp_propvals.count++] = pv;
+		poriginal_indices.push_back(i);
 	}
 	if (tmp_propvals.count == 0)
 		return TRUE;
@@ -361,10 +364,13 @@ BOOL attachment_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 		}
 	}
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1669: ENOMEM");
+	return false;
 }
 
 BOOL attachment_object::remove_properties(const PROPTAG_ARRAY *pproptags,
-    PROBLEM_ARRAY *pproblems)
+    PROBLEM_ARRAY *pproblems) try
 {
 	auto pattachment = this;
 	PROBLEM_ARRAY tmp_problems;
@@ -378,17 +384,15 @@ BOOL attachment_object::remove_properties(const PROPTAG_ARRAY *pproptags,
 	tmp_proptags.pproptag = cu_alloc<uint32_t>(pproptags->count);
 	if (tmp_proptags.pproptag == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(pproptags->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
+	std::vector<uint16_t> poriginal_indices;
 	for (unsigned int i = 0; i < pproptags->count; ++i) {
 		const auto tag = pproptags->pproptag[i];
 		if (is_readonly_prop(tag) ||
 		    ao_has_open_streams(pattachment, tag)) {
 			pproblems->emplace_back(i, tag, ecAccessDenied);
 			continue;
 		}
-		poriginal_indices[tmp_proptags.count] = i;
+		poriginal_indices.push_back(i);
 		tmp_proptags.emplace_back(tag);
 	}
 	if (tmp_proptags.count == 0)
@@ -409,6 +413,9 @@ BOOL attachment_object::remove_properties(const PROPTAG_ARRAY *pproptags,
 		}
 	}
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1670: ENOMEM");
+	return false;
 }
 
 BOOL attachment_object::copy_properties(attachment_object *pattachment_src,

exch/emsmdb/folder_object.cpp

@@ -1,4 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only WITH linking exception
+// SPDX-FileCopyrightText: 2021–2024 grommunio GmbH
+// This file is part of Gromox.
 #include <algorithm>
 #include <climits>
 #include <cstdint>
@@ -7,6 +9,7 @@
 #include <cstring>
 #include <memory>
 #include <utility>
+#include <vector>
 #include <gromox/defs.h>
 #include <gromox/ext_buffer.hpp>
 #include <gromox/mapidefs.h>
@@ -18,6 +21,8 @@
 #include "folder_object.hpp"
 #include "logon_object.hpp"
 
+using namespace gromox;
+
 std::unique_ptr<folder_object> folder_object::create(logon_object *plogon,
 	uint64_t folder_id, uint8_t type, uint32_t tag_access)
 {
@@ -458,7 +463,7 @@ BOOL folder_object::get_properties(const PROPTAG_ARRAY *pproptags,
 }
 
 BOOL folder_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
-    PROBLEM_ARRAY *pproblems)
+    PROBLEM_ARRAY *pproblems) try
 {
 	uint16_t count;
 	BINARY *pbin_pcl;
@@ -479,17 +484,15 @@ BOOL folder_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 	tmp_propvals.ppropval = cu_alloc<TAGGED_PROPVAL>(count);
 	if (tmp_propvals.ppropval == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(ppropvals->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
+	std::vector<uint16_t> poriginal_indices;
 	auto pfolder = this;
 	for (unsigned int i = 0; i < ppropvals->count; ++i) {
 		const auto &pv = ppropvals->ppropval[i];
 		if (pfolder->is_readonly_prop(pv.proptag)) {
 			pproblems->emplace_back(i, pv.proptag, ecAccessDenied);
 		} else {
-			tmp_propvals.ppropval[tmp_propvals.count] = pv;
-			poriginal_indices[tmp_propvals.count++] = i;
+			tmp_propvals.ppropval[tmp_propvals.count++] = pv;
+			poriginal_indices.push_back(i);
 		}
 	}
 	if (tmp_propvals.count == 0)
@@ -522,6 +525,9 @@ BOOL folder_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 	tmp_problems.transform(poriginal_indices);
 	*pproblems += std::move(tmp_problems);
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1743: ENOMEM");
+	return false;
 }
 
 BOOL folder_object::remove_properties(const PROPTAG_ARRAY *pproptags,

exch/emsmdb/logon_object.cpp

@@ -10,6 +10,7 @@
 #include <cstring>
 #include <memory>
 #include <utility>
+#include <vector>
 #include <libHX/string.h>
 #include <gromox/defs.h>
 #include <gromox/mapidefs.h>
@@ -664,7 +665,7 @@ BOOL logon_object::get_properties(const PROPTAG_ARRAY *pproptags,
 }
 
 BOOL logon_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
-    PROBLEM_ARRAY *pproblems)
+    PROBLEM_ARRAY *pproblems) try
 {
 	PROBLEM_ARRAY tmp_problems;
 	TPROPVAL_ARRAY tmp_propvals;
@@ -680,17 +681,15 @@ BOOL logon_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 	tmp_propvals.ppropval = cu_alloc<TAGGED_PROPVAL>(ppropvals->count);
 	if (tmp_propvals.ppropval == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(ppropvals->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
+	std::vector<uint16_t> poriginal_indices;
 	auto plogon = this;
 	for (unsigned int i = 0; i < ppropvals->count; ++i) {
 		const auto &pv = ppropvals->ppropval[i];
 		if (lo_is_readonly_prop(plogon, pv.proptag)) {
 			pproblems->emplace_back(i, pv.proptag, ecAccessDenied);
 		} else {
-			tmp_propvals.ppropval[tmp_propvals.count] = pv;
-			poriginal_indices[tmp_propvals.count++] = i;
+			tmp_propvals.ppropval[tmp_propvals.count++] = pv;
+			poriginal_indices.push_back(i);
 		}
 	}
 	if (tmp_propvals.count == 0)
@@ -703,6 +702,9 @@ BOOL logon_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 	tmp_problems.transform(poriginal_indices);
 	*pproblems += std::move(tmp_problems);
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1744: ENOMEM");
+	return false;
 }
 
 BOOL logon_object::remove_properties(const PROPTAG_ARRAY *pproptags,

exch/emsmdb/message_object.cpp

@@ -6,6 +6,7 @@
 #include <cstdlib>
 #include <cstring>
 #include <memory>
+#include <vector>
 #include <libHX/string.h>
 #include <gromox/defs.h>
 #include <gromox/ext_buffer.hpp>
@@ -1054,7 +1055,7 @@ static bool mo_has_open_streams(message_object *pmessage, uint32_t proptag)
 }
 
 static BOOL message_object_set_properties_internal(message_object *pmessage,
-	BOOL b_check, const TPROPVAL_ARRAY *ppropvals, PROBLEM_ARRAY *pproblems)
+    BOOL b_check, const TPROPVAL_ARRAY *ppropvals, PROBLEM_ARRAY *pproblems) try
 {
 	uint8_t tmp_bytes[3];
 	PROBLEM_ARRAY tmp_problems;
@@ -1072,10 +1073,8 @@ static BOOL message_object_set_properties_internal(message_object *pmessage,
 	tmp_propvals.ppropval = cu_alloc<TAGGED_PROPVAL>(ppropvals->count);
 	if (tmp_propvals.ppropval == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(ppropvals->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
-	
+
+	std::vector<uint16_t> poriginal_indices;
 	auto dir = pmessage->plogon->get_dir();
 	for (unsigned int i = 0; i < ppropvals->count; ++i) {
 		/* if property is being open as stream object, can not be modified */
@@ -1116,8 +1115,8 @@ static BOOL message_object_set_properties_internal(message_object *pmessage,
 					return FALSE;	
 			}
 		}
-		tmp_propvals.ppropval[tmp_propvals.count] = pv;
-		poriginal_indices[tmp_propvals.count++] = i;
+		tmp_propvals.ppropval[tmp_propvals.count++] = pv;
+		poriginal_indices.push_back(i);
 	}
 	if (tmp_propvals.count == 0)
 		return TRUE;
@@ -1142,6 +1141,9 @@ static BOOL message_object_set_properties_internal(message_object *pmessage,
 			return FALSE;	
 	}
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1745: ENOMEM");
+	return false;
 }
 
 BOOL message_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
@@ -1153,7 +1155,7 @@ BOOL message_object::set_properties(const TPROPVAL_ARRAY *ppropvals,
 }
 
 BOOL message_object::remove_properties(const PROPTAG_ARRAY *pproptags,
-    PROBLEM_ARRAY *pproblems)
+    PROBLEM_ARRAY *pproblems) try
 {
 	auto pmessage = this;
 	PROBLEM_ARRAY tmp_problems;
@@ -1169,9 +1171,7 @@ BOOL message_object::remove_properties(const PROPTAG_ARRAY *pproptags,
 	tmp_proptags.pproptag = cu_alloc<uint32_t>(pproptags->count);
 	if (tmp_proptags.pproptag == nullptr)
 		return FALSE;
-	auto poriginal_indices = cu_alloc<uint16_t>(pproptags->count);
-	if (poriginal_indices == nullptr)
-		return FALSE;
+	std::vector<uint16_t> poriginal_indices;
 	/* if property is being open as stream object, can not be removed */
 	for (unsigned int i = 0; i < pproptags->count; ++i) {
 		const auto tag = pproptags->pproptag[i];
@@ -1190,7 +1190,7 @@ BOOL message_object::remove_properties(const PROPTAG_ARRAY *pproptags,
 				tag, static_cast<unsigned long long>(message_id), instance_id);
 			continue;
 		default:
-			poriginal_indices[tmp_proptags.count] = i;
+			poriginal_indices.push_back(i);
 			tmp_proptags.emplace_back(tag);
 			break;
 		}
@@ -1218,6 +1218,9 @@ BOOL message_object::remove_properties(const PROPTAG_ARRAY *pproptags,
 			return FALSE;	
 	}
 	return TRUE;
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1746: ENOMEM");
+	return false;
 }
 
 BOOL message_object::copy_to(message_object *pmessage_src,

exch/emsmdb/oxcprpt.cpp

@@ -5,6 +5,7 @@
 #include <cstdint>
 #include <cstring>
 #include <utility>
+#include <vector>
 #include <gromox/defs.h>
 #include <gromox/mapidefs.h>
 #include <gromox/proc_common.h>
@@ -565,7 +566,7 @@ ec_error_t rop_querynamedproperties(uint8_t query_flags, const GUID *pguid,
 
 ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
     const PROPTAG_ARRAY *pproptags, PROBLEM_ARRAY *pproblems, LOGMAP *plogmap,
-    uint8_t logon_id, uint32_t hsrc, uint32_t hdst)
+    uint8_t logon_id, uint32_t hsrc, uint32_t hdst) try
 {
 	BOOL b_force;
 	BOOL b_result;
@@ -600,9 +601,7 @@ ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
 	pproblems->pproblem = cu_alloc<PROPERTY_PROBLEM>(pproptags->count);
 	if (pproblems->pproblem == nullptr)
 		return ecServerOOM;
-	auto poriginal_indices = cu_alloc<uint16_t>(pproptags->count);
-	if (poriginal_indices == nullptr)
-		return ecError;
+	std::vector<uint16_t> poriginal_indices;
 	switch (object_type) {
 	case ems_objtype::folder: {
 		auto fldsrc = static_cast<folder_object *>(pobject);
@@ -626,7 +625,7 @@ ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
 			}
 			if (copy_flags & MAPI_NOREPLACE && proptags1.has(tag))
 				continue;
-			poriginal_indices[proptags.count] = i;
+			poriginal_indices.push_back(i);
 			proptags.emplace_back(tag);
 		}
 		if (!fldsrc->get_properties(&proptags, &propvals))
@@ -676,7 +675,7 @@ ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
 			}
 			if (copy_flags & MAPI_NOREPLACE && proptags1.has(tag))
 				continue;
-			poriginal_indices[proptags.count] = i;
+			poriginal_indices.push_back(i);
 			proptags.emplace_back(tag);
 		}
 		if (!msgsrc->get_properties(0, &proptags, &propvals))
@@ -710,7 +709,7 @@ ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
 			}
 			if (copy_flags & MAPI_NOREPLACE && proptags1.has(tag))
 				continue;
-			poriginal_indices[proptags.count] = i;
+			poriginal_indices.push_back(i);
 			proptags.emplace_back(tag);
 		}
 		if (!atsrc->get_properties(0, &proptags, &propvals))
@@ -730,6 +729,9 @@ ec_error_t rop_copyproperties(uint8_t want_asynchronous, uint8_t copy_flags,
 	default:
 		return ecNotSupported;
 	}
+} catch (const std::bad_alloc &) {
+	mlog(LV_ERR, "E-1747: ENOMEM");
+	return ecServerOOM;
 }
 
 ec_error_t rop_copyto(uint8_t want_asynchronous, uint8_t want_subobjects,