[Bug 20920] New: Regression - read buffer overflow in StorageImpl_Construct in many msi tests
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Dec 5 02:56:47 CST 2009
http://bugs.winehq.org/show_bug.cgi?id=20920
Summary: Regression - read buffer overflow in
StorageImpl_Construct in many msi tests
Product: Wine
Version: 1.1.34
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ole32
AssignedTo: wine-bugs at winehq.org
ReportedBy: dank at kegel.com
http://kegel.com/wine/valgrind/logs/2009-12-04-18.45/diff-msi_msi.txt
http://kegel.com/wine/valgrind/logs/2009-12-04-18.45/vg-msi_msi.txt
and the rest of the msi logs for today show a regression like this:
Invalid read of size 1
at memcpy (mc_replace_strmem.c:482)
by StorageImpl_Construct (storage32.c:2280)
by StgCreateDocfile (storage32.c:5696)
by MSI_OpenDatabaseW (database.c:121)
by MsiOpenDatabaseW (database.c:228)
by MsiOpenDatabaseA (database.c:263)
by create_package_db (msi.c:150)
by test_MsiOpenProduct (msi.c:7194)
Address 0x7f0459a2 is 0 bytes after a block of size 26 alloc'd
at notify_alloc (heap.c:247)
by RtlAllocateHeap (heap.c:1697)
by msi_alloc (msipriv.h:1078)
by strdupAtoW (msipriv.h:1124)
by MsiOpenDatabaseA (database.c:249)
by create_package_db (msi.c:150)
by test_MsiOpenProduct (msi.c:7194)
Did today's ole32 storage changes introduce it? This change looks like
it's related:
http://www.winehq.org/pipermail/wine-cvs/2009-December/062265.html
@@ -2295,6 +2271,9 @@ static HRESULT StorageImpl_Construct(
goto end;
}
strcpyW(This->pwcsName, pwcsName);
+
+ memcpy(This->base.filename, pwcsName, DIRENTRY_NAME_BUFFER_LEN-1);
+ This->base.filename[DIRENTRY_NAME_BUFFER_LEN-1] = 0;
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list