[Bug 20860] New: Read buffer overflow in INTERNET_SendCallback in wininet... calling strlen on non-nul-terminated buffer?
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Nov 28 14:21:55 CST 2009
http://bugs.winehq.org/show_bug.cgi?id=20860
Summary: Read buffer overflow in INTERNET_SendCallback in
wininet... calling strlen on non-nul-terminated
buffer?
Product: Wine
Version: 1.1.33
Platform: PC
OS/Version: Linux
Status: NEW
Keywords: download, source, testcase
Severity: normal
Priority: P2
Component: wininet
AssignedTo: wine-bugs at winehq.org
ReportedBy: dank at kegel.com
The sixth error in
http://kegel.com/wine/valgrind/logs/2009-11-27-12.53/vg-urlmon_protocol.txt
is
Invalid read of size 2
at strlenW (unicode.h:216)
by heap_strdupW (internet.h:65)
by INTERNET_SendCallback (utility.c:313)
by SendAsyncCallbackProc (utility.c:351)
by INTERNET_WorkerThreadFunc (internet.c:3128)
by worker_thread_proc (threadpool.c:114)
Address 0x7f0ccac6 is 0 bytes after a block of size 14 alloc'd
at RtlAllocateHeap (heap.c:1697)
by SendAsyncCallback (utility.c:380)
by FTP_Connect (ftp.c:2447)
by INTERNET_InternetOpenUrlW (internet.c:2860)
by AsyncInternetOpenUrlProc (internet.c:2946)
by INTERNET_WorkerThreadFunc (internet.c:3128)
It looks like wininet's INTERNET_SendCallback() function
is using strlen when it shouldn't... it's even passed the
length as a parameter?
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list