locale: Fix for too small buffers

Andrew de Quincey adq_dvb at lidskialf.net
Tue Dec 2 14:01:18 CST 2003 

Hi, found a problem with the latest locale changes. When it calls the 
GetLocaleInfoW() function, the attached error occurs.

This occurred because of the new code using the LOCALE_RETURN_NUMBER flag. The 
problem is if the buffer supplied to get_registry_locale_info is quite small 
(say sizeof(INT)). The value returned by NtQueryValueKey() however, is for a 
string, and is much longer. As NtQueryValueKey updates the value of size, 
this caused other parts of the code to corrupt memory.
-------------- next part --------------
First chance exception: page fault on write access to 0x0000bad4 in 32-bit code (0x4021a1d0).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033
 EIP:4021a1d0 ESP:406efc10 EBP:406efc1c EFLAGS:00210206(  R- 00  I   - -P1 )
 EAX:0000bac8 EBX:4024ce88 ECX:00000378 EDX:40370074
 ESI:403b8a70 EDI:403b8a50
Stack dump:
0x406efc10 (_end+0x156ce8):  403b8a50 403b8a50 40370000 406efc48
0x406efc20 (_end+0x156cf8):  4021a25f 40370000 403b8a50 00000020
0x406efc30 (_end+0x156d08):  403b8a50 00000001 00000001 4024ce88
0x406efc40 (_end+0x156d18):  403b8a50 40370000 406efc70 4021b368
0x406efc50 (_end+0x156d28):  40370000 403b8a50 40370000 403b8a50
0x406efc60 (_end+0x156d38):  00000000 405959e8 0000000c 403b8a58
0x406efc70 (_end+0x156d48):

Backtrace:
=>0 0x4021a1d0 (HEAP_CreateFreeBlock+0x120(subheap=0x40370000, ptr=0x403b8a50, size=0x20) [heap.c:417] in NTDLL.DLL) (ebp=406efc1c)
  1 0x4021a25f (HEAP_MakeInUseBlockFree+0x4f(subheap=0x40370000, pArena=0x403b8a50) [heap.c:468] in NTDLL.DLL) (ebp=406efc48)
  2 0x4021b368 (RtlFreeHeap+0xb8(heap=0x40370000, flags=0x2, ptr=0x403b8a58) [heap.c:1204] in NTDLL.DLL) (ebp=406efc70)
  3 0x404e8981 (HeapFree+0x21(heap=0x40370000, flags=0x0, ptr=0x403b8a58) [heap.c:285] in KERNEL32.DLL) (ebp=406efc88)
  4 0x404f4bab (get_registry_locale_info+0x15b(flags=0x0, value=0x40576294, buffer=0x0, len=0x0) [locale.c:822] in KERNEL32.DLL) (ebp=406efce8)
  5 0x404f4fae (GetLocaleInfoW+0x1be(lcid=0x809, lctype=0x1f, buffer=0x0, len=0x0) [locale.c:934] in KERNEL32.DLL) (ebp=406efd18)
  6 0x404f4cfa (GetLocaleInfoA+0x6a(lcid=0x809, lctype=0x1f, buffer=0x406efd64, len=0x100) [locale.c:859] in KERNEL32.DLL) (ebp=406efd44)
  7 0x004ce4df (idag.exe. at Droptarget@initialization$qqrv+0x6fd93 in idag.exe) (ebp=406efe64)
  8 0x004cf99a (idag.exe. at Droptarget@initialization$qqrv+0x7124e in idag.exe) (ebp=406efec0)
  9 0x004d0384 (idag.exe. at Droptarget@initialization$qqrv+0x71c38 in idag.exe) (ebp=406efed4)
  10 0x004e276d (idag.exe. at Droptarget@initialization$qqrv+0x84021 in idag.exe) (ebp=406efefc)
  11 0x004e2943 (idag.exe. at Droptarget@initialization$qqrv+0x841f7 in idag.exe) (ebp=406eff24)

0x4021a1d0 (HEAP_CreateFreeBlock+0x120 [heap.c:417] in NTDLL.DLL): movl %edx,0xc(%eax)
418             pNext->prev->next = pNext->next;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wine-localefix.patch
Type: text/x-diff
Size: 917 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20031202/6657a459/wine-localefix.bin

More information about the wine-patches mailing list