Prevent heap corruption in CryptAcquireContext

Michael Jung mjung at iss.tu-darmstadt.de
Thu Jul 15 13:34:37 CDT 2004


Alexandre Julliard writes:
> Michael Jung <mjung at iss.tu-darmstadt.de> writes:
> > this is a resubmit of a simple patch I've sent yesterday, but which was
> > not applied to cvs. I would like to give some detail on it: There is a
> > section of code labeled "error:" at the end of CryptAcquireContext, which
> > releases occupied resources in the case of an error. Amongst others, the
> > allocated memory pointed to by "keyname" is released. However, in some
> > cases keyname is released twice, once in the normal code and once in the
> > error cleanup code. CRYPT_Free uses LocalFree, which returns "NULL" if
> > the memory was successfully released. And it does basically nothing if it
> > is called with a "NULL" pointer. This means that by executing "keyname =
> > (PSTR)CRYPT_Free(keyname)" the second call to CRYPT_Free does basically
> > nothing, which is better than corrupting the heap ;)
>
> The patch is OK, but it would be better to really avoid calling
> CRYPT_Free twice, and also to fix all the other places in that
> function that have the same problem.

I'm currently working on an implementation of rsabase.dll. This heap 
corruption bug crashes some of my test programs. At the moment I would rather 
work on rsabase.dll than on advapi32.dll. If you apply my quick and dirty 
patch, I promise to look into CryptAcquireContext some time later ;)

Greetings,
Michael



More information about the wine-devel mailing list