[Bug 20760] New: Write buffer overrun in CreateFileMoniker()
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Nov 19 14:25:05 CST 2009
http://bugs.winehq.org/show_bug.cgi?id=20760
Summary: Write buffer overrun in CreateFileMoniker()
Product: Wine
Version: 1.1.33
Platform: PC
OS/Version: Linux
Status: NEW
Keywords: source, testcase
Severity: normal
Priority: P2
Component: ole32
AssignedTo: wine-bugs at winehq.org
ReportedBy: dank at kegel.com
http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/diff-hlink_hlink.txt
http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-hlink_hlink.txt
shows a new error thanks to the heap tail check.
Looks like a level-of-indirection-during-allocation error,
1039 strgtable = CoTaskMemAlloc(len*sizeof(WCHAR));
should be
1039 strgtable = CoTaskMemAlloc(len*sizeof(WCHAR *));
Ulrich, you were in there last, could you have a look?
Invalid write of size 4
at FileMonikerImpl_DecomposePath (filemoniker.c:1056)
by FileMonikerImpl_Construct (filemoniker.c:1375)
by CreateFileMoniker (filemoniker.c:1443)
by FileMoniker_CreateFromDisplayName (filemoniker.c:1484)
by MkParseDisplayName (moniker.c:1130)
by HlinkCreateFromString (hlink_main.c:124)
by test_persist (hlink.c:479)
by func_hlink (hlink.c:1122)
by run_test (test.h:535)
by main (test.h:585)
Address 0x7f04416c is 4 bytes inside a block of size 6 alloc'd
at notify_alloc (heap.c:279)
by RtlAllocateHeap (heap.c:1521)
by IMalloc_fnAlloc (ifs.c:186)
by CoTaskMemAlloc (ifs.c:562)
by FileMonikerImpl_DecomposePath (filemoniker.c:1039)
by FileMonikerImpl_Construct (filemoniker.c:1375)
by CreateFileMoniker (filemoniker.c:1443)
by FileMoniker_CreateFromDisplayName (filemoniker.c:1484)
by MkParseDisplayName (moniker.c:1130)
by HlinkCreateFromString (hlink_main.c:124)
by test_persist (hlink.c:479)
This can be reproduced locally by setting up valgrind as described in
http://wiki.winehq.org/Valgrind and applying the heap tail check patch to wine,
starting winemine (to avoid valgrinding services), then running
cd dlls/ole32/tests
WINETEST_PLATFORM=wine WINE_HEAP_REDZONE=16 valgrind --trace-children=yes
--track-origins=yes --num-callers=30 wine ole32_test.exe.so moniker
although when I do that with today's sources, I get the slightly different
error
Invalid write of size 4
at FileMonikerImpl_DecomposePath (filemoniker.c:1087)
by FileMonikerImpl_Construct (filemoniker.c:1375)
by FileMonikerCF_CreateInstance (filemoniker.c:1593)
by CoCreateInstance (compobj.c:2502)
by get_unmarshaler_from_stream (marshal.c:1575)
by CoReleaseMarshalData (marshal.c:1882)
by rot_entry_delete (moniker.c:182)
by RunningObjectTableImpl_Revoke (moniker.c:595)
by test_ROT (moniker.c:632)
by func_moniker (moniker.c:1943)
Address 0x7f03fcb0 is 0 bytes after a block of size 0 alloc'd
at notify_alloc (heap.c:279)
by RtlAllocateHeap (heap.c:1521)
by IMalloc_fnAlloc (ifs.c:186)
by CoTaskMemAlloc (ifs.c:562)
by FileMonikerImpl_DecomposePath (filemoniker.c:1039)
by FileMonikerImpl_Construct (filemoniker.c:1375)
by FileMonikerCF_CreateInstance (filemoniker.c:1593)
by CoCreateInstance (compobj.c:2502)
by get_unmarshaler_from_stream (marshal.c:1575)
by CoReleaseMarshalData (marshal.c:1882)
by rot_entry_delete (moniker.c:182)
by RunningObjectTableImpl_Revoke (moniker.c:595)
by test_ROT (moniker.c:632)
by func_moniker (moniker.c:1943)
There's a simpler, similar looking error later on:
Invalid write of size 4
at 0xD876677: FileMonikerImpl_DecomposePath (filemoniker.c:1087)
by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375)
by 0xD877514: CreateFileMoniker (filemoniker.c:1443)
by 0xCF306BC: test_file_moniker (moniker.c:1387)
by 0xCF30A50: test_file_monikers (moniker.c:1448)
by 0xCF333FC: func_moniker (moniker.c:1947)
Address 0x7f045468 is 8 bytes inside a block of size 10 alloc'd
at 0xCC8463B: notify_alloc (heap.c:279)
by 0xCC844D9: RtlAllocateHeap (heap.c:1521)
by 0xD87B372: IMalloc_fnAlloc (ifs.c:186)
by 0xD87C38E: CoTaskMemAlloc (ifs.c:562)
by 0xD8764EA: FileMonikerImpl_DecomposePath (filemoniker.c:1039)
by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375)
by 0xD877514: CreateFileMoniker (filemoniker.c:1443)
by 0xCF306BC: test_file_moniker (moniker.c:1387)
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list