[Bug 48245] New: wbemlocator parse_resource contains non-null terminated string, causing garbage output in trace logs
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Dec 8 06:22:00 CST 2019
https://bugs.winehq.org/show_bug.cgi?id=48245
Bug ID: 48245
Summary: wbemlocator parse_resource contains non-null
terminated string, causing garbage output in trace
logs
Product: Wine
Version: 4.21
Hardware: x86-64
OS: Linux
Status: NEW
Severity: trivial
Priority: P2
Component: wmi&wbemprox
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
found while investigating/relay tracing an app that makes use of WMI:
--- snip ---
...
004a:trace:wbemprox:wbem_locator_ConnectServer 0077F6A0, L"\\\\.\\ROOT\\CIMV2",
(null), (null), (null), 0x00000000, (null), 00000000, 0146FE14)
004a:Call ntdll.RtlAllocateHeap(00110000,00000000,00000004) ret=6795ad1b
004a:trace:heap:RtlAllocateHeap (0x110000,70000062,00000004): returning
0x77cd30
004a:Ret ntdll.RtlAllocateHeap() retval=0077cd30 ret=6795ad1b
004a:Call msvcrt.memcpy(0077cd30,001f4ec8,00000002) ret=6795ad3b
004a:Ret msvcrt.memcpy() retval=0077cd30 ret=6795ad3b
004a:Call msvcrt._wcsnicmp(6796ab4c
L"ROOT\3130\3332\3534\3736\3938\6261\6463\6665\6277\6d65\6c5f\636f\7461\726f\435f\6e6f\656e\7463\6553\7672\7265",001f4ecc
L"ROOT\\CIMV2",00000004) ret=6795b074
004a:Ret msvcrt._wcsnicmp() retval=00000000 ret=6795b074
004a:Call msvcrt._wcsicmp(001f4ed6 L"CIMV2",6796ab40 L"CIMV2") ret=6795aec0
004a:Ret msvcrt._wcsicmp() retval=00000000 ret=6795aec0
004a:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=6795af05
004a:trace:heap:RtlAllocateHeap (0x110000,70000062,0000000c): returning
0x1d3af0
004a:Ret ntdll.RtlAllocateHeap() retval=001d3af0 ret=6795af05
004a:Call msvcrt.memcpy(001d3af0,001f4ecc,0000000a) ret=6795af25
004a:Ret msvcrt.memcpy() retval=001d3af0 ret=6795af25
004a:Call msvcrt.wcscmp(0077cd30 L".",6796ab2c L".") ret=6795abe6
004a:Ret msvcrt.wcscmp() retval=00000000 ret=6795abe6
004a:trace:wbemprox:WbemServices_create (0146FE14)
...
--- snip ---
The trace log contains garbage characters because the string is not NULL
terminated. Technically there is nothing wrong here - but still it would make
the log output less suspicious (uninitialized/corrupted memory).
Wine source:
https://source.winehq.org/git/wine.git/blob/dba0dd41613a91f17142a9bd8ea12b5abb881433:/dlls/wbemprox/wbemlocator.c#l99
--- snip ---
99 static HRESULT parse_resource( const WCHAR *resource, WCHAR **server,
WCHAR **namespace )
100 {
101 static const WCHAR rootW[] = {'R','O','O','T'};
102 static const WCHAR cimv2W[] = {'C','I','M','V','2',0};
103 static const WCHAR defaultW[] = {'D','E','F','A','U','L','T',0};
104 HRESULT hr = WBEM_E_INVALID_NAMESPACE;
105 const WCHAR *p, *q;
106 unsigned int len;
107
108 *server = NULL;
109 *namespace = NULL;
110 p = q = resource;
111 if (*p == '\\' || *p == '/')
112 {
113 p++;
114 if (*p == '\\' || *p == '/') p++;
115 if (!*p) return WBEM_E_INVALID_NAMESPACE;
116 if (*p == '\\' || *p == '/') return WBEM_E_INVALID_PARAMETER;
117 q = p + 1;
118 while (*q && *q != '\\' && *q != '/') q++;
119 if (!*q) return WBEM_E_INVALID_NAMESPACE;
120 len = q - p;
121 if (!(*server = heap_alloc( (len + 1) * sizeof(WCHAR) )))
122 {
123 hr = E_OUTOFMEMORY;
124 goto done;
125 }
126 memcpy( *server, p, len * sizeof(WCHAR) );
127 (*server)[len] = 0;
128 q++;
129 }
130 if (!*q) goto done;
131 p = q;
132 while (*q && *q != '\\' && *q != '/') q++;
133 len = q - p;
134 if (len >= ARRAY_SIZE( rootW ) && wcsnicmp( rootW, p, len )) goto
done;
135 if (!*q)
...
158 return hr;
159 }
--- snip ---
Line 101 'rootW' causing garbage trace output in line 134.
$ wine --version
wine-4.21-183-gac24504034
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list