[Bug 37820] New: Import of registry files via builtin 'regedit' causes REG_SZ values with additional NULL terminator being written to registry

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Jan 1 14:54:20 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=37820

            Bug ID: 37820
           Summary: Import of registry files via builtin 'regedit' causes
                    REG_SZ values with additional NULL terminator being
                    written to registry
           Product: Wine
           Version: 1.7.33
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: programs
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

found while investigating bug 37818

After putting in a substitute for CLSID
'{0003000D-0000-0000-C000-000000000046}' (Sound OLE1 class) into registry via
.reg file import it still fails the same way.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Monopolie

$ WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+ntdll,+reg,+server wine
./Monopolie\ 0.9.7.exe >>log.txt 2>&1
...
0009:Call ole32.OleLoad(0020bab8,73476c78,01149714,0033e6f4) ret=734aa991
0009:trace:ole:OleLoad (0x20bab8, {00000112-0000-0000-c000-000000000046},
0x1149714, 0x33e6f4)
0009:trace:ole:CoCreateInstance (rclsid={0003000d-0000-0000-c000-000000000046},
pUnkOuter=(nil), dwClsContext=00000003,
riid={00000112-0000-0000-c000-000000000046}, ppv=0x33e5fc)
0009:trace:ole:CoGetTreatAsClass
({0003000d-0000-0000-c000-000000000046},0x33e4e8)
0009:Call ntdll.RtlInitUnicodeString(0033e330,0033e382
L"CLSID\\{0003000D-0000-0000-C000-000000000046}") ret=7e94c764
0009:Ret  ntdll.RtlInitUnicodeString() retval=0033e330 ret=7e94c764
0009:Call ntdll.NtOpenKey(0033e37c,00020019,0033e338) ret=7e94c780
0009:trace:reg:NtOpenKey
(0x6c,L"CLSID\\{0003000D-0000-0000-C000-000000000046}",20019,0x33e37c)
0009: open_key( parent=006c, access=00020019, attributes=00000000,
name=L"CLSID\\{0003000D-0000-0000-C000-000000000046}" )
0009: open_key() = 0 { hkey=00a0 }
0009:trace:reg:NtOpenKey <- 0xa0
0009:Ret  ntdll.NtOpenKey() retval=00000000 ret=7e94c780
0009:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e94c78b
0009:Ret  ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e94c78b
0009:Call ntdll.RtlInitUnicodeString(0033e330,7ea301f4 L"TreatAs") ret=7e94c764
0009:Ret  ntdll.RtlInitUnicodeString() retval=0033e330 ret=7e94c764
0009:Call ntdll.NtOpenKey(0033e468,00020019,0033e338) ret=7e94c780
0009:trace:reg:NtOpenKey (0xa0,L"TreatAs",20019,0x33e468)
0009: open_key( parent=00a0, access=00020019, attributes=00000000,
name=L"TreatAs" )
0009: open_key() = 0 { hkey=00a4 }
0009:trace:reg:NtOpenKey <- 0xa4
0009:Ret  ntdll.NtOpenKey() retval=00000000 ret=7e94c780
0009:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e94c78b
0009:Ret  ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e94c78b
0009:Call advapi32.RegCloseKey(000000a0) ret=7e9511f9
0009: close_handle( handle=00a0 )
0009: close_handle() = 0
0009:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e9511f9
0009:Call advapi32.RegQueryValueW(000000a4,00000000,0033e41a,0033e414)
ret=7e9542a8
0009:trace:reg:RegQueryValueW (0xa4,(null),0x33e41a,78)
0009:trace:reg:RegQueryValueExW (0xa4,(null),(nil),(nil),0x33e41a,0x33e414=78)
0009:trace:reg:NtQueryValueKey (0xa4,(null),2,0x33e1fc,90)
0009: get_key_value( hkey=00a4, name=L"" )
0009: get_key_value() = 0 { type=1, total=80,
data={7b,00,46,00,32,00,30,00,44,00,41,00,37,00,32,00,30,00,2d,00,43,00,30,00,32,00,46,00,2d,00,31,00,31,00,43,00,45,00,2d,00,39,00,32,00,37,00,42,00,2d,00,30,00,38,00,30,00,30,00,30,00,39,00,35,00,41,00,45,00,33,00,34,00,30,00,7d,00,00,00}
}
0009:Ret  advapi32.RegQueryValueW() retval=000000ea ret=7e9542a8
0009:Call advapi32.RegCloseKey(000000a4) ret=7e954347
0009: close_handle( handle=00a4 )
0009: close_handle() = 0
0009:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e954347
0009:trace:ole:CoGetClassObject CLSID:
{0003000d-0000-0000-c000-000000000046},IID:
{00000001-0000-0000-c000-000000000046} 
...
--- snip ---

The caller reads the CLSID value using buffer of 78 bytes which is
CHARS_IN_GUID (39), including NULL terminator.

Surprisingly wineserver returned "2 more bytes available" (essentially another
NULL terminator) -> STATUS_BUFFER_OVERFLOW.

Directly looking at the registry hive data reveals the problem:

--- snip ---
$ grep -A2 "{0003000D-0000-0000-C000-000000000046}" system.reg 

[Software\\Classes\\CLSID\\{0003000D-0000-0000-C000-000000000046}] 1420142748
@="Sound\0"

[Software\\Classes\\CLSID\\{0003000D-0000-0000-C000-000000000046}\\NotInsertable]
1420142748

[Software\\Classes\\CLSID\\{0003000D-0000-0000-C000-000000000046}\\TreatAs]
1420142748
@="{F20DA720-C02F-11CE-927B-0800095AE340}\0"
--- snip ---

Upon import with 'regedit', REG_SZ values got another NULL terminator besides
the "builtin" one appended, causing breakage later.

--- snip ---
...
0009:Call advapi32.RegCreateKeyExW(80000000,0011936e
L"CLSID\\{0003000D-0000-0000-C000-000000000046}\\TreatAs",00000000,00000000,00000000,000f003f,00000000,7ed85c3c,0033f660)
ret=7ed2021d
0009:trace:reg:NtCreateKey
(0x24,L"CLSID\\{0003000D-0000-0000-C000-000000000046}\\TreatAs",(null),0,f003f,0x7ed85c3c)
0009: create_key( parent=0024, access=000f003f, attributes=00000000,
options=00000000, namelen=104,
name=L"CLSID\\{0003000D-0000-0000-C000-000000000046}\\TreatAs", class=L"" )
0009: create_key() = 0 { hkey=0028, created=1 }
0009:trace:reg:NtCreateKey <- 0x28 
...
0009:Call ntdll.strpbrk(0011ebf8
"@=\"{F20DA720-C02F-11CE-927B-0800095AE340}\"\r\n",7ed260db "\r\n")
ret=7ed20b14
0009:Ret  ntdll.strpbrk() retval=0011ec22 ret=7ed20b14
0009:Call msvcrt.feof(7ec8e440) ret=7ed20b22
0009:Ret  msvcrt.feof() retval=00000000 ret=7ed20b22
0009:Call KERNEL32.MultiByteToWideChar(00000000,00000000,0011ebf8
"@=\"{F20DA720-C02F-11CE-927B-0800095AE340}\"",ffffffff,00000000,00000000)
ret=7ed1f423
0009:Ret  KERNEL32.MultiByteToWideChar() retval=0000002b ret=7ed1f423
0009:Call ntdll.RtlAllocateHeap(00110000,00000000,00000056) ret=7ed1f452
0009:Ret  ntdll.RtlAllocateHeap() retval=00119348 ret=7ed1f452
0009:Call KERNEL32.MultiByteToWideChar(00000000,00000000,0011ebf8
"@=\"{F20DA720-C02F-11CE-927B-0800095AE340}\"",ffffffff,00119348,0000002b)
ret=7ed1f4d2
0009:Ret  KERNEL32.MultiByteToWideChar() retval=0000002b ret=7ed1f4d2
0009:Call KERNEL32.lstrcmpW(0011934c
L"\"{F20DA720-C02F-11CE-927B-0800095AE340}\"",0033f5d8 L"-") ret=7ed1ff56
0009:Ret  KERNEL32.lstrcmpW() retval=00000001 ret=7ed1ff56
0009:Call advapi32.RegSetValueExW(00000028,00119348
L"",00000000,00000001,0011934e,00000050) ret=7ed2014b
0009:trace:reg:NtSetValueKey (0x28,L"",1,0x11934e,80)
0009: set_key_value( hkey=0028, type=1, namelen=0, name=L"",
data={7b,00,46,00,32,00,30,00,44,00,41,00,37,00,32,00,30,00,2d,00,43,00,30,00,32,00,46,00,2d,00,31,00,31,00,43,00,45,00,2d,00,39,00,32,00,37,00,42,00,2d,00,30,00,38,00,30,00,30,00,30,00,39,00,35,00,41,00,45,00,33,00,34,00,30,00,7d,00,00,00,00,00}
)
0009: set_key_value() = 0
0009:Ret  advapi32.RegSetValueExW() retval=00000000 ret=7ed2014b 
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/fb37d215cd31bcd0adafa87c1d216027cff028db:/programs/regedit/regproc.c#l352

Likely the result of
http://source.winehq.org/git/wine.git/commitdiff/c35bca6561a0150425a1838d4677d202cad65da5
and probably not intended.

$ sha1sum monopolie0.9.7-installer.exe 
b7cff9b04b11c55b5d1fa4cddb2f0914f61b6653  monopolie0.9.7-installer.exe

$ du -sh monopolie0.9.7-installer.exe 
1.7M    monopolie0.9.7-installer.exe

$ wine --version
wine-1.7.33-117-g6bab173

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list