locale: Fix for too small buffers
Andrew de Quincey
adq_dvb at lidskialf.net
Tue Dec 2 14:01:18 CST 2003
Hi, found a problem with the latest locale changes. When it calls the
GetLocaleInfoW() function, the attached error occurs.
This occurred because of the new code using the LOCALE_RETURN_NUMBER flag. The
problem is if the buffer supplied to get_registry_locale_info is quite small
(say sizeof(INT)). The value returned by NtQueryValueKey() however, is for a
string, and is much longer. As NtQueryValueKey updates the value of size,
this caused other parts of the code to corrupt memory.
-------------- next part --------------
First chance exception: page fault on write access to 0x0000bad4 in 32-bit code (0x4021a1d0).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033
EIP:4021a1d0 ESP:406efc10 EBP:406efc1c EFLAGS:00210206( R- 00 I - -P1 )
EAX:0000bac8 EBX:4024ce88 ECX:00000378 EDX:40370074
ESI:403b8a70 EDI:403b8a50
Stack dump:
0x406efc10 (_end+0x156ce8): 403b8a50 403b8a50 40370000 406efc48
0x406efc20 (_end+0x156cf8): 4021a25f 40370000 403b8a50 00000020
0x406efc30 (_end+0x156d08): 403b8a50 00000001 00000001 4024ce88
0x406efc40 (_end+0x156d18): 403b8a50 40370000 406efc70 4021b368
0x406efc50 (_end+0x156d28): 40370000 403b8a50 40370000 403b8a50
0x406efc60 (_end+0x156d38): 00000000 405959e8 0000000c 403b8a58
0x406efc70 (_end+0x156d48):
Backtrace:
=>0 0x4021a1d0 (HEAP_CreateFreeBlock+0x120(subheap=0x40370000, ptr=0x403b8a50, size=0x20) [heap.c:417] in NTDLL.DLL) (ebp=406efc1c)
1 0x4021a25f (HEAP_MakeInUseBlockFree+0x4f(subheap=0x40370000, pArena=0x403b8a50) [heap.c:468] in NTDLL.DLL) (ebp=406efc48)
2 0x4021b368 (RtlFreeHeap+0xb8(heap=0x40370000, flags=0x2, ptr=0x403b8a58) [heap.c:1204] in NTDLL.DLL) (ebp=406efc70)
3 0x404e8981 (HeapFree+0x21(heap=0x40370000, flags=0x0, ptr=0x403b8a58) [heap.c:285] in KERNEL32.DLL) (ebp=406efc88)
4 0x404f4bab (get_registry_locale_info+0x15b(flags=0x0, value=0x40576294, buffer=0x0, len=0x0) [locale.c:822] in KERNEL32.DLL) (ebp=406efce8)
5 0x404f4fae (GetLocaleInfoW+0x1be(lcid=0x809, lctype=0x1f, buffer=0x0, len=0x0) [locale.c:934] in KERNEL32.DLL) (ebp=406efd18)
6 0x404f4cfa (GetLocaleInfoA+0x6a(lcid=0x809, lctype=0x1f, buffer=0x406efd64, len=0x100) [locale.c:859] in KERNEL32.DLL) (ebp=406efd44)
7 0x004ce4df (idag.exe. at Droptarget@initialization$qqrv+0x6fd93 in idag.exe) (ebp=406efe64)
8 0x004cf99a (idag.exe. at Droptarget@initialization$qqrv+0x7124e in idag.exe) (ebp=406efec0)
9 0x004d0384 (idag.exe. at Droptarget@initialization$qqrv+0x71c38 in idag.exe) (ebp=406efed4)
10 0x004e276d (idag.exe. at Droptarget@initialization$qqrv+0x84021 in idag.exe) (ebp=406efefc)
11 0x004e2943 (idag.exe. at Droptarget@initialization$qqrv+0x841f7 in idag.exe) (ebp=406eff24)
0x4021a1d0 (HEAP_CreateFreeBlock+0x120 [heap.c:417] in NTDLL.DLL): movl %edx,0xc(%eax)
418 pNext->prev->next = pNext->next;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wine-localefix.patch
Type: text/x-diff
Size: 917 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20031202/6657a459/wine-localefix.bin
More information about the wine-patches
mailing list