Buffer overrun in LsaLookupNames2() found with valgrind+wine+new heap patch
Dan Kegel
dank at kegel.com
Thu Nov 19 00:00:45 CST 2009
Here's the first error it helped Valgrind find in tonight's automated run:
../../../tools/runtest -q -P wine -M advapi32.dll -T ../../.. -p
advapi32_test.exe.so lsa.c && touch lsa.ok
...
Invalid write of size 1
at memmove (mc_replace_strmem.c:613)
by RtlCopySid (sec.c:376)
by CopySid (security.c:905)
by lookup_local_wellknown_name (security.c:2800)
by lookup_name (lsa.c:308)
by LsaLookupNames2 (lsa.c:411)
by test_LsaLookupNames2 (lsa.c:336)
by func_lsa (lsa.c:362)
Address 0x7f03c550 is 6 bytes after a block of size 26 alloc'd
at notify_alloc (heap.c:279)
by RtlAllocateHeap (heap.c:1521)
by LsaLookupNames2 (lsa.c:402)
by test_LsaLookupNames2 (lsa.c:336)
by func_lsa (lsa.c:362)
Offhand that looks like a real problem. Aric, you may have touched
that code last, could you have a look?
Oh, and here's a bit that was missing from the patch.
- Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flg.patch
Type: text/x-patch
Size: 527 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20091118/deb83118/attachment.bin>
More information about the wine-devel
mailing list