[Bug 20760] New: Write buffer overrun in CreateFileMoniker()

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Nov 19 14:25:05 CST 2009 

http://bugs.winehq.org/show_bug.cgi?id=20760

           Summary: Write buffer overrun in CreateFileMoniker()
           Product: Wine
           Version: 1.1.33
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: source, testcase
          Severity: normal
          Priority: P2
         Component: ole32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com


http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/diff-hlink_hlink.txt
http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-hlink_hlink.txt
shows a new error thanks to the heap tail check.

Looks like a level-of-indirection-during-allocation error,
  1039     strgtable = CoTaskMemAlloc(len*sizeof(WCHAR));
should be
  1039     strgtable = CoTaskMemAlloc(len*sizeof(WCHAR *));

Ulrich, you were in there last, could you have a look?

 Invalid write of size 4
   at  FileMonikerImpl_DecomposePath (filemoniker.c:1056)
   by  FileMonikerImpl_Construct (filemoniker.c:1375)
   by  CreateFileMoniker (filemoniker.c:1443)
   by  FileMoniker_CreateFromDisplayName (filemoniker.c:1484)
   by  MkParseDisplayName (moniker.c:1130)
   by  HlinkCreateFromString (hlink_main.c:124)
   by  test_persist (hlink.c:479)
   by  func_hlink (hlink.c:1122)
   by  run_test (test.h:535)
   by  main (test.h:585)
 Address 0x7f04416c is 4 bytes inside a block of size 6 alloc'd
   at  notify_alloc (heap.c:279)
   by  RtlAllocateHeap (heap.c:1521)
   by  IMalloc_fnAlloc (ifs.c:186)
   by  CoTaskMemAlloc (ifs.c:562)
   by  FileMonikerImpl_DecomposePath (filemoniker.c:1039)
   by  FileMonikerImpl_Construct (filemoniker.c:1375)
   by  CreateFileMoniker (filemoniker.c:1443)
   by  FileMoniker_CreateFromDisplayName (filemoniker.c:1484)
   by  MkParseDisplayName (moniker.c:1130)
   by  HlinkCreateFromString (hlink_main.c:124)
   by  test_persist (hlink.c:479)

This can be reproduced locally by setting up valgrind as described in
http://wiki.winehq.org/Valgrind and applying the heap tail check patch to wine,
starting winemine (to avoid valgrinding services), then running

cd dlls/ole32/tests
WINETEST_PLATFORM=wine WINE_HEAP_REDZONE=16 valgrind --trace-children=yes
--track-origins=yes --num-callers=30 wine ole32_test.exe.so moniker

although when I do that with today's sources, I get the slightly different
error

Invalid write of size 4
   at FileMonikerImpl_DecomposePath (filemoniker.c:1087)
   by FileMonikerImpl_Construct (filemoniker.c:1375)
   by FileMonikerCF_CreateInstance (filemoniker.c:1593)
   by CoCreateInstance (compobj.c:2502)
   by get_unmarshaler_from_stream (marshal.c:1575)
   by CoReleaseMarshalData (marshal.c:1882)
   by rot_entry_delete (moniker.c:182)
   by RunningObjectTableImpl_Revoke (moniker.c:595)
   by test_ROT (moniker.c:632)
   by func_moniker (moniker.c:1943)
 Address 0x7f03fcb0 is 0 bytes after a block of size 0 alloc'd
   at notify_alloc (heap.c:279)
   by RtlAllocateHeap (heap.c:1521)
   by IMalloc_fnAlloc (ifs.c:186)
   by CoTaskMemAlloc (ifs.c:562)
   by FileMonikerImpl_DecomposePath (filemoniker.c:1039)
   by FileMonikerImpl_Construct (filemoniker.c:1375)
   by FileMonikerCF_CreateInstance (filemoniker.c:1593)
   by CoCreateInstance (compobj.c:2502)
   by get_unmarshaler_from_stream (marshal.c:1575)
   by CoReleaseMarshalData (marshal.c:1882)
   by rot_entry_delete (moniker.c:182)
   by RunningObjectTableImpl_Revoke (moniker.c:595)
   by test_ROT (moniker.c:632)
   by func_moniker (moniker.c:1943)

There's a simpler, similar looking error later on:

Invalid write of size 4
   at 0xD876677: FileMonikerImpl_DecomposePath (filemoniker.c:1087)
   by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375)
   by 0xD877514: CreateFileMoniker (filemoniker.c:1443)
   by 0xCF306BC: test_file_moniker (moniker.c:1387)
   by 0xCF30A50: test_file_monikers (moniker.c:1448)
   by 0xCF333FC: func_moniker (moniker.c:1947)
 Address 0x7f045468 is 8 bytes inside a block of size 10 alloc'd
   at 0xCC8463B: notify_alloc (heap.c:279)
   by 0xCC844D9: RtlAllocateHeap (heap.c:1521)
   by 0xD87B372: IMalloc_fnAlloc (ifs.c:186)
   by 0xD87C38E: CoTaskMemAlloc (ifs.c:562)
   by 0xD8764EA: FileMonikerImpl_DecomposePath (filemoniker.c:1039)
   by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375)
   by 0xD877514: CreateFileMoniker (filemoniker.c:1443)
   by 0xCF306BC: test_file_moniker (moniker.c:1387)

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list