[Bug 20759] New: Read buffer overflow in NdrConformantArrayMarshall?
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Nov 19 14:12:23 CST 2009
http://bugs.winehq.org/show_bug.cgi?id=20759
Summary: Read buffer overflow in NdrConformantArrayMarshall?
Product: Wine
Version: 1.1.33
Platform: PC
OS/Version: Linux
Status: NEW
Keywords: source, testcase
Severity: normal
Priority: P2
Component: rpc
AssignedTo: wine-bugs at winehq.org
ReportedBy: dank at kegel.com
http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-ole32_marshal.txt
contains a new warning thanks to the heap tail check:
Invalid read of size 1
at memcpy (mc_replace_strmem.c:482)
by safe_copy_to_buffer (ndr_marshall.c:707)
by array_write_variance_and_marshall (ndr_marshall.c:1926)
by NdrConformantArrayMarshall (ndr_marshall.c:3626)
by PointerMarshall (ndr_marshall.c:816)
by NdrPointerMarshall (ndr_marshall.c:1488)
by PointerMarshall (ndr_marshall.c:816)
by NdrPointerMarshall (ndr_marshall.c:1488)
by IRemUnknown_RemQueryInterface_Stub (dcom_p.c:386)
by CStdStubBuffer_Invoke (cstub.c:475)
by RPC_ExecuteCall (rpc.c:1392)
by apartment_wndproc (compobj.c:885)
by ??? (library.h:159)
by call_window_proc (winproc.c:469)
by WINPROC_CallProcAtoW (winproc.c:1023)
by WINPROC_call_window (winproc.c:2225)
by DispatchMessageA (message.c:3089)
by host_object_proc (marshal.c:253)
by ??? (signal_i386.c:2312)
by call_thread_entry_point (signal_i386.c:2338)
Address 0x7f04822f is 3 bytes after a block of size 44 alloc'd
at notify_alloc (heap.c:279)
by RtlAllocateHeap (heap.c:1521)
by IMalloc_fnAlloc (ifs.c:186)
by CoTaskMemAlloc (ifs.c:562)
by RemUnknown_RemQueryInterface (stubmanager.c:657)
by IRemUnknown_RemQueryInterface_Stub (dcom_p.c:370)
by CStdStubBuffer_Invoke (cstub.c:475)
by RPC_ExecuteCall (rpc.c:1392)
by apartment_wndproc (compobj.c:885)
by ??? (library.h:159)
by call_window_proc (winproc.c:469)
by WINPROC_CallProcAtoW (winproc.c:1023)
by WINPROC_call_window (winproc.c:2225)
by DispatchMessageA (message.c:3089)
by host_object_proc (marshal.c:253)
by ??? (signal_i386.c:2312)
by call_thread_entry_point (signal_i386.c:2338)
by start_thread (thread.c:469)
by start_thread (pthread_create.c:297)
by clone (clone.S:130)
This can be reproduced locally by setting up valgrind as described in
http://wiki.winehq.org/Valgrind and applying the heap tail check patch to wine,
starting winemine (to avoid valgrinding services), then running
WINETEST_PLATFORM=wine WINE_HEAP_REDZONE=16 valgrind --trace-children=yes
--track-origins=yes --num-callers=30 wine ole32_test.exe.so marshal
(And, bonus deal, there's a null ptr crash in the same log file later down:
Backtrace:
=>0 test_local_server+0x5e4() [dlls/ole32/tests/marshal.c:2711] in ole32_test
1 func_marshal+0x1ab() [dlls/ole32/tests/marshal.c:3092] in ole32_test
...
2711 IClassFactory_Release(cf);
but I suppose that might be a different bug.)
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list