Rémi Bernon : ntdll: Fix environment memcpy read overflow (valgrind).

Alexandre Julliard julliard at winehq.org
Tue Mar 9 14:55:19 CST 2021 

Module: wine
Branch: master
Commit: f69e5478d5f5ca2201fd9115b34afc95c3f00187
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=f69e5478d5f5ca2201fd9115b34afc95c3f00187

Author: Rémi Bernon <rbernon at codeweavers.com>
Date:   Mon Mar  8 09:14:19 2021 +0100

ntdll: Fix environment memcpy read overflow (valgrind).

  Invalid read of size 1
     at 0x7BC5C5E3: memcpy (string.c:109)
     by 0x7BC267F7: RtlCreateProcessParametersEx (env.c:785)
     by 0x7B04EB57: create_process_params (process.c:183)
     by 0x7B04EB57: CreateProcessInternalW (process.c:544)
     by 0x7B0508E3: CreateProcessW (process.c:668)
     by 0x403B1E: runCmd (wineboot.c:1055)
     by 0x403B1E: process_run_key (wineboot.c:1126)
     by 0x404228: ProcessRunKeys (wineboot.c:1159)
     by 0x406DB1: main (wineboot.c:1707)
   Address 0x7ffffe00331a is 0 bytes after a recently re-allocated block of size 12,074 alloc'd
     at 0x7BC2D209: notify_alloc (heap.c:260)
     by 0x7BC2D209: RtlAllocateHeap (heap.c:1713)
     by 0x7BC25BAC: RtlSetEnvironmentVariable (env.c:515)
     by 0x7BC25EE0: set_env_var (env.c:61)
     by 0x7BC26C37: set_wow64_environment (env.c:228)
     by 0x7BC26C37: init_user_process_params (env.c:891)
     by 0x7BC3B01B: process_init (loader.c:3991)
     by 0x7BC3CD24: __wine_set_unix_funcs (loader.c:4095)
     by 0x469604E: start_main_thread (loader.c:1752)
     by 0x469604E: __wine_main (loader.c:2083)
     by 0x7D001231: main (main.c:157)

Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/ntdll/env.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/dlls/ntdll/env.c b/dlls/ntdll/env.c
index a18d1446db4..75ea2ebbb45 100644
--- a/dlls/ntdll/env.c
+++ b/dlls/ntdll/env.c
@@ -762,14 +762,13 @@ NTSTATUS WINAPI RtlCreateProcessParametersEx( RTL_USER_PROCESS_PARAMETERS **resu
             + ROUND_SIZE( ShellInfo->MaximumLength )
             + ROUND_SIZE( RuntimeInfo->MaximumLength ));
 
-    env_size = ROUND_SIZE( env_size );
-    if ((ptr = RtlAllocateHeap( GetProcessHeap(), HEAP_ZERO_MEMORY, size + env_size )))
+    if ((ptr = RtlAllocateHeap( GetProcessHeap(), HEAP_ZERO_MEMORY, size + ROUND_SIZE( env_size ) )))
     {
         RTL_USER_PROCESS_PARAMETERS *params = ptr;
         params->AllocationSize  = size;
         params->Size            = size;
         params->Flags           = PROCESS_PARAMS_FLAG_NORMALIZED;
-        params->EnvironmentSize = env_size;
+        params->EnvironmentSize = ROUND_SIZE( env_size );
         if (cur_params) params->ConsoleFlags = cur_params->ConsoleFlags;
         /* all other fields are zero */

More information about the wine-cvs mailing list