advapi32: Fix potential NULL pointer dereference in RegSetValueExA [with test] (Saturn)
Rob Shearman
robertshearman at gmail.com
Tue Jan 27 05:15:39 CST 2009
2009/1/26 Aurimas Fišeras <aurimas at gmail.com>:
> Saturn's error report:
> (INCONSISTENT USE) Possible null dereference of variable data+(count-1).
> This variable is checked for Null at lines: registry.c:1051
>
> Tested on Windows XP
>
> Changelog:
> advapi32: Fix potential NULL pointer dereference in RegSetValueExA
> [with test] (Saturn)
Excellent, this tool has spotted a corner-case that the code doesn't
handle correctly.
> From ea7773cc046992e327030fb99935afc5b25c1b4b Mon Sep 17 00:00:00 2001
> From: Aurimas Fischer <aurimas at gmail.com>
> Date: Mon, 26 Jan 2009 21:55:05 +0200
> Subject: advapi32: Fix potential NULL pointer dereference in RegSetValueExA [with test] (Saturn)
>
> ---
> dlls/advapi32/registry.c | 1 +
> dlls/advapi32/tests/registry.c | 4 ++++
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/dlls/advapi32/registry.c b/dlls/advapi32/registry.c
> index 52de6c5..88a89db 100644
> --- a/dlls/advapi32/registry.c
> +++ b/dlls/advapi32/registry.c
> @@ -1055,6 +1055,7 @@ LSTATUS WINAPI RegSetValueExA( HKEY hkey, LPCSTR name, DWORD reserved, DWORD typ
> else if (count && is_string(type))
> {
> /* if user forgot to count terminating null, add it (yes NT does this) */
> + if (!data) return ERROR_NOACCESS;
This should be moved before the comment to avoid the comment relating
to the wrong line.
> if (data[count-1] && !data[count]) count++;
> }
>
> diff --git a/dlls/advapi32/tests/registry.c b/dlls/advapi32/tests/registry.c
> index b63b3e2..0e1b673 100644
> --- a/dlls/advapi32/tests/registry.c
> +++ b/dlls/advapi32/tests/registry.c
> @@ -383,6 +383,10 @@ static void test_set_value(void)
> test_hkey_main_Value_A(name2A, string2A, sizeof(string2A));
> test_hkey_main_Value_W(name2W, string2W, sizeof(string2W));
>
> + /* test RegSetValueExA with invalid parameters*/
> + ret = RegSetValueExA(hkey_main, name1A, 0, REG_SZ, NULL, 1);
> + ok(ret == ERROR_NOACCESS, "got %d (expected ERROR_NOACCESS)\n", ret);
More information about the wine-devel
mailing list