[Bug 4200] New: map_image() can cause segfault

Wine Bugs wine-bugs at winehq.org
Fri Dec 30 17:51:39 CST 2005 

http://bugs.winehq.org/show_bug.cgi?id=4200

           Summary: map_image() can cause segfault
           Product: Wine
           Version: 0.9.4.
          Platform: Other
        OS/Version: other
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wine-loader
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: areiter at websense.com


Basically, to make this short (could go into more detail, but my knowledge of
the wine loader code is just *ok*, not really good):

I was attempting to run a less-than-perfect PE file (seems to be a broken worm),
I  was obviously prepared for it to not run -- perhaps the loader to error out
since it was an invalid PE file (at least XPSP2 believes so -- and I've reversed
other Win32 loader code and they'd error too)), but I got a segfault, unfortunately.

I narrowed the issue down to dlls/ntdll/virtual.c::map_image():
1014                memset( ptr + sec->VirtualAddress + file_size, 0, end -
file_size );

ptr is ok:
(gdb) p ptr
$142 = 0x400000 "MZ\220"

VA for the section seems ok:
(gdb) p sec->VirtualAddress
$143 = 49152

.. Same with file_size (i believe), but the issue is with the length of the
memset().

(gdb) p end
$144 = 3815
(gdb) p file_size
$145 = 110873

As you can see at virtual.c:1014, memset() uses (end-file_size) as the length to
zero out.  However, (end-file_size) creates a "bad" value since end is less than
file_size.  By at least C90 standards, the length field for memset() is a size_t
 which is unsigned ... etc etc.  I don't really have a solution as I am not
really all that knowledgeable with really what some of the code is doing, but
seems that atleast adding an assert() or a test for this instead of blindly
passing (end-file_size) would be a good thing.  Anyway, not a major bug, but the
loader should tries it's best to at least not crash.

If you need a test file, please feel free to contact me at areiter _ at _
websense.com.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the wine-bugs mailing list