[Bug 20759] New: Read buffer overflow in NdrConformantArrayMarshall?

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Nov 19 14:12:23 CST 2009 

http://bugs.winehq.org/show_bug.cgi?id=20759

           Summary: Read buffer overflow in NdrConformantArrayMarshall?
           Product: Wine
           Version: 1.1.33
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: source, testcase
          Severity: normal
          Priority: P2
         Component: rpc
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com


http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-ole32_marshal.txt
contains a new warning thanks to the heap tail check:

 Invalid read of size 1
    at  memcpy (mc_replace_strmem.c:482)
    by  safe_copy_to_buffer (ndr_marshall.c:707)
    by  array_write_variance_and_marshall (ndr_marshall.c:1926)
    by  NdrConformantArrayMarshall (ndr_marshall.c:3626)
    by  PointerMarshall (ndr_marshall.c:816)
    by  NdrPointerMarshall (ndr_marshall.c:1488)
    by  PointerMarshall (ndr_marshall.c:816)
    by  NdrPointerMarshall (ndr_marshall.c:1488)
    by  IRemUnknown_RemQueryInterface_Stub (dcom_p.c:386)
    by  CStdStubBuffer_Invoke (cstub.c:475)
    by  RPC_ExecuteCall (rpc.c:1392)
    by  apartment_wndproc (compobj.c:885)
    by  ??? (library.h:159)
    by  call_window_proc (winproc.c:469)
    by  WINPROC_CallProcAtoW (winproc.c:1023)
    by  WINPROC_call_window (winproc.c:2225)
    by  DispatchMessageA (message.c:3089)
    by  host_object_proc (marshal.c:253)
    by  ??? (signal_i386.c:2312)
    by  call_thread_entry_point (signal_i386.c:2338)
  Address 0x7f04822f is 3 bytes after a block of size 44 alloc'd
    at  notify_alloc (heap.c:279)
    by  RtlAllocateHeap (heap.c:1521)
    by  IMalloc_fnAlloc (ifs.c:186)
    by  CoTaskMemAlloc (ifs.c:562)
    by  RemUnknown_RemQueryInterface (stubmanager.c:657)
    by  IRemUnknown_RemQueryInterface_Stub (dcom_p.c:370)
    by  CStdStubBuffer_Invoke (cstub.c:475)
    by  RPC_ExecuteCall (rpc.c:1392)
    by  apartment_wndproc (compobj.c:885)
    by  ??? (library.h:159)
    by  call_window_proc (winproc.c:469)
    by  WINPROC_CallProcAtoW (winproc.c:1023)
    by  WINPROC_call_window (winproc.c:2225)
    by  DispatchMessageA (message.c:3089)
    by  host_object_proc (marshal.c:253)
    by  ??? (signal_i386.c:2312)
    by  call_thread_entry_point (signal_i386.c:2338)
    by  start_thread (thread.c:469)
    by  start_thread (pthread_create.c:297)
    by  clone (clone.S:130)

This can be reproduced locally by setting up valgrind as described in
http://wiki.winehq.org/Valgrind and applying the heap tail check patch to wine,
starting winemine (to avoid valgrinding services), then running

WINETEST_PLATFORM=wine WINE_HEAP_REDZONE=16 valgrind --trace-children=yes
--track-origins=yes --num-callers=30 wine ole32_test.exe.so marshal

(And, bonus deal, there's a null ptr crash in the same log file later down:
Backtrace:
=>0 test_local_server+0x5e4() [dlls/ole32/tests/marshal.c:2711] in ole32_test 
  1 func_marshal+0x1ab() [dlls/ole32/tests/marshal.c:3092] in ole32_test 
...
2711        IClassFactory_Release(cf);
but I suppose that might be a different bug.)

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list