[Bug 38955] New: Visual Studio Code installer crashes on startup (parsing of overly long string-format security descriptor causes stack corruption)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jul 20 15:56:53 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38955
Bug ID: 38955
Summary: Visual Studio Code installer crashes on startup
(parsing of overly long string-format security
descriptor causes stack corruption)
Product: Wine
Version: 1.7.47
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: advapi32
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
the installer passes an overly long string-format security descriptor which is
greater than MAX_PATH.
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./VSCodeSetup.exe >>log.txt 2>&1
...
0044:Call
advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW(004237d0
L"D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A"...,00000001,0033d5a0,00000000)
ret=004022d7
0044:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7ea9690c
ip=7ea9690c tid=0044
0044:trace:seh:raise_exception info[0]=00000001
0044:trace:seh:raise_exception info[1]=00d1d326
0044:trace:seh:raise_exception eax=004f0049 ebx=0033d540 ecx=0033d480
edx=0033d294 esi=0033d584 edi=0033d550
0044:trace:seh:raise_exception ebp=0033d4c8 esp=0033d260 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
...
Unhandled exception: page fault on write access to 0x003b0041 in 32-bit code
(0x7ea99089).
...
Backtrace:
=>0 0x7ea99089
ParseStringSidToSid+0x3a4(StringSid="PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)?????",
pSid=0x3b0041, cBytes=0x33d28c)
[/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:5587] in
advapi32 (0x0033d258)
1 0x7ea969c7
ParseStringSecurityDescriptorToSecurityDescriptor+0x197(StringSecurityDescriptor="",
SecurityDescriptor=0x610030, cBytes=0x3b0039)
[/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:4577] in
advapi32 (0x0033d4c8)
2 0x00310078 (0x0030003b)
0x7ea99089 ParseStringSidToSid+0x3a4
[/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:5587] in
advapi32: movb $0x1,0x0(%eax)
5587 pisid->Revision = SDDL_REVISION;
Modules:
Module Address Debug info Name (66 modules)
PE 400000- 3e07000 Deferred vscodesetup
ELF 7b800000-7ba71000 Deferred kernel32<elf>
\-PE 7b820000-7ba71000 \ kernel32
...
Threads:
process tid prio (all id:s are in hex)
...
00000043 (D) Z:\home\focht\Downloads\VSCodeSetup.exe
00000044 0 <==
--- snip ---
Source:
https://source.winehq.org/git/wine.git/blob/3e55f1d2cc673d55ee342ff168a335b321501ee0:/dlls/advapi32/security.c#l4508
--- snip ---
4508 static BOOL ParseStringSecurityDescriptorToSecurityDescriptor(
4509 LPCWSTR StringSecurityDescriptor,
4510 SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
4511 LPDWORD cBytes)
4512 {
4513 BOOL bret = FALSE;
4514 WCHAR toktype;
4515 WCHAR tok[MAX_PATH];
4516 LPCWSTR lptoken;
4517 LPBYTE lpNext = NULL;
4518 DWORD len;
4519
4520 *cBytes = sizeof(SECURITY_DESCRIPTOR);
4521
4522 if (SecurityDescriptor)
4523 lpNext = (LPBYTE)(SecurityDescriptor + 1);
...
--- snip ---
$ sha1sum VSCodeSetup.exe
c971e8805aa21ef6483e04434cb819e524e682f0 VSCodeSetup.exe
$ du -sh VSCodeSetup.exe
59M VSCodeSetup.exe
$ wine --version
wine-1.7.47-162-g0f9a0aa
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list