[Bug 4200] New: map_image() can cause segfault
Wine Bugs
wine-bugs at winehq.org
Fri Dec 30 17:51:39 CST 2005
http://bugs.winehq.org/show_bug.cgi?id=4200
Summary: map_image() can cause segfault
Product: Wine
Version: 0.9.4.
Platform: Other
OS/Version: other
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: wine-loader
AssignedTo: wine-bugs at winehq.org
ReportedBy: areiter at websense.com
Basically, to make this short (could go into more detail, but my knowledge of
the wine loader code is just *ok*, not really good):
I was attempting to run a less-than-perfect PE file (seems to be a broken worm),
I was obviously prepared for it to not run -- perhaps the loader to error out
since it was an invalid PE file (at least XPSP2 believes so -- and I've reversed
other Win32 loader code and they'd error too)), but I got a segfault, unfortunately.
I narrowed the issue down to dlls/ntdll/virtual.c::map_image():
1014 memset( ptr + sec->VirtualAddress + file_size, 0, end -
file_size );
ptr is ok:
(gdb) p ptr
$142 = 0x400000 "MZ\220"
VA for the section seems ok:
(gdb) p sec->VirtualAddress
$143 = 49152
.. Same with file_size (i believe), but the issue is with the length of the
memset().
(gdb) p end
$144 = 3815
(gdb) p file_size
$145 = 110873
As you can see at virtual.c:1014, memset() uses (end-file_size) as the length to
zero out. However, (end-file_size) creates a "bad" value since end is less than
file_size. By at least C90 standards, the length field for memset() is a size_t
which is unsigned ... etc etc. I don't really have a solution as I am not
really all that knowledgeable with really what some of the code is doing, but
seems that atleast adding an assert() or a test for this instead of blindly
passing (end-file_size) would be a good thing. Anyway, not a major bug, but the
loader should tries it's best to at least not crash.
If you need a test file, please feel free to contact me at areiter _ at _
websense.com.
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the wine-bugs
mailing list