rpcrt4: Use memcpy instead of strcpy to prevent a crash.
Alexander Morozov
amorozov at etersoft.ru
Thu Jul 16 07:57:29 CDT 2009
This patch prevents a crash on AltLinux. Glibc thinks that there is a buffer overflow
but really there is not.
$ rpm -q glibc-core
glibc-core-2.10.1-alt3
$ LANG=C WINEPREFIX=/home/amorozov/winehq ~/Projects/winehq/wine winecfg
wine: created the configuration directory '/home/amorozov/winehq'
ALSA lib seq_hw.c:457:(snd_seq_hw_open) open /dev/snd/seq failed: No such file or directory
Could not load wine-gecko. HTML rendering will be disabled.
*** buffer overflow detected ***: C:\windows\system32\services.exe terminated
wine: Unhandled page fault on read access to 0x00000010 at address 0x7eac9946 (thread 0016), starting debugger...
Unhandled exception: page fault on read access to 0x00000010 in 32-bit code (0x7eac9946).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:7eac9946 ESP:0074e0f4 EBP:0074e13c EFLAGS:00210246( R- -- I Z- -P- )
EAX:00000010 EBX:7eace104 ECX:00000000 EDX:00000000
ESI:0074e230 EDI:00000002
Stack dump:
0x0074e0f4: 0000000f 0074e284 000000c0 0074e170
0x0074e104: 0074e230 00000000 aaa41760 7eace104
0x0074e114: 0074e170 0074e230 0074e13c 7eaca763
0x0074e124: 0074e230 00000005 7eac96ab b7e7eff4
0x0074e134: 00000040 00000002 0074e2bc 7eaca812
0x0074e144: 0074e230 0074e2d0 00000000 0074e230
Backtrace:
=>0 0x7eac9946 in libgcc_s.so.1 (+0x5946) (0x0074e13c)
1 0x7eaca812 _Unwind_Backtrace+0x62() in libgcc_s.so.1 (0x0074e2bc)
2 0xb7e0fcf5 backtrace+0x75() in libc.so.6 (0x0074e2f0)
3 0xb7d989ab in libc.so.6 (+0x639ab) (0x0074e8ec)
4 0xb7e12f30 __fortify_fail+0x40() in libc.so.6 (0x0074e914)
5 0xb7e11180 in libc.so.6 (+0xdc180) (0x0074e924)
6 0xb7e104f4 __strcpy_chk+0x44() in libc.so.6 (0x0074e938)
7 0x7eb7456d RPCRT4_BuildBindAckHeader+0xfd(DataRepresentation=16, MaxTransmissionSize=5840,
MaxReceiveSize=5840, AssocGroupId=1, ServerAddress="\pipe\svcctl", Result=0, Reason=0, TransferId=<register EDI not
in topmost frame>) [/srv/amorozov/Projects/winehq/dlls/rpcrt4/rpc_message.c:274] in rpcrt4 (0x0074e988)
8 0x7eb78038 RPCRT4_worker_thread+0x378(the_arg=0x113bc8)
[/srv/amorozov/Projects/winehq/dlls/rpcrt4/rpc_server.c:193] in rpcrt4 (0x0074e9f8)
9 0x7bc78315 worker_thread_proc+0xf5(param=(nil))
[/srv/amorozov/Projects/winehq/dlls/ntdll/../../include/wine/port.h:411] in ntdll (0x0074ea68)
10 0x7bc6bbd8 call_thread_func+0xc() in ntdll (0x0074ea78)
11 0x7bc6bdd0 call_thread_entry_point+0x70(entry=0x7bc78220, arg=(nil))
[/srv/amorozov/Projects/winehq/dlls/ntdll/signal_i386.c:2301] in ntdll (0x0074eb48)
12 0x7bc74415 start_thread+0xf5(info=0x7ffccfb8) [/srv/amorozov/Projects/winehq/dlls/ntdll/thread.c:439] in ntdll
(0x0074f398)
13 0xb7e88480 start_thread+0xa0() in libpthread.so.0 (0x0074f498)
14 0xb7dfd37e __clone+0x5e() in libc.so.6 (0x00000000)
0x7eac9946: cmpw $0xb858,0x0(%eax)
Modules:
Module Address Debug info Name (34 modules)
ELF 7b800000-7b972000 Deferred kernel32<elf>
\-PE 7b820000-7b972000 \ kernel32
ELF 7bc00000-7bcbf000 Dwarf ntdll<elf>
\-PE 7bc10000-7bcbf000 \ ntdll
ELF 7bf00000-7bf04000 Deferred <wine-loader>
ELF 7eac4000-7eacf000 Export libgcc_s.so.1
ELF 7eacf000-7eb2c000 Deferred advapi32<elf>
\-PE 7eae0000-7eb2c000 \ advapi32
ELF 7eb2c000-7eb9f000 Dwarf rpcrt4<elf>
\-PE 7eb40000-7eb9f000 \ rpcrt4
ELF 7eb9f000-7ebc4000 Deferred services<elf>
\-PE 7ebb0000-7ebc4000 \ services
ELF 7ebc4000-7ebcb000 Deferred libnss_dns.so.2
ELF 7ebcb000-7ebd6000 Deferred libnss_nis.so.2
ELF 7ebd6000-7ebee000 Deferred libnsl.so.1
ELF 7ebee000-7ebfb000 Deferred libnss_nisplus.so.2
ELF 7ebfb000-7ec11000 Deferred libresolv.so.2
ELF 7ec11000-7ec19000 Deferred libkrb5support.so.0
ELF 7ec19000-7ec3e000 Deferred libk5crypto.so.3
ELF 7ec3e000-7ecce000 Deferred libkrb5.so.3
ELF 7ecce000-7ece2000 Deferred libz.so.1
ELF 7ece2000-7ee17000 Deferred libcrypto.so.7
ELF 7ee17000-7ee5c000 Deferred libssl.so.7
ELF 7ee5c000-7efb9000 Deferred libmysqlclient.so.15
ELF 7efb9000-7efc2000 Deferred libnss_mysql.so.2
ELF 7efc2000-7efea000 Deferred libm.so.6
ELF b7d22000-b7d2f000 Deferred libnss_files.so.2
ELF b7d31000-b7d35000 Deferred libdl.so.2
ELF b7d35000-b7e83000 Export libc.so.6
ELF b7e83000-b7e9b000 Export libpthread.so.0
ELF b7e9b000-b7e9d000 Deferred libkeyutils.so.1
ELF b7e9d000-b7ea0000 Deferred libcom_err.so.2
ELF b7eb1000-b7fef000 Deferred libwine.so.1
ELF b7ff0000-b800d000 Deferred ld-linux.so.2
Threads:
process tid prio (all id:s are in hex)
00000008
00000009 0
0000000a
0000000b 0
0000000c (D) C:\windows\system32\services.exe
00000016 0 <==
00000015 0
0000000e 0
0000000d 0
0000000f
00000010 0
00000013
00000014 0
Backtrace:
=>0 0x7eac9946 in libgcc_s.so.1 (+0x5946) (0x0074e13c)
1 0x7eaca812 _Unwind_Backtrace+0x62() in libgcc_s.so.1 (0x0074e2bc)
2 0xb7e0fcf5 backtrace+0x75() in libc.so.6 (0x0074e2f0)
3 0xb7d989ab in libc.so.6 (+0x639ab) (0x0074e8ec)
4 0xb7e12f30 __fortify_fail+0x40() in libc.so.6 (0x0074e914)
5 0xb7e11180 in libc.so.6 (+0xdc180) (0x0074e924)
6 0xb7e104f4 __strcpy_chk+0x44() in libc.so.6 (0x0074e938)
7 0x7eb7456d RPCRT4_BuildBindAckHeader+0xfd(DataRepresentation=16, MaxTransmissionSize=5840,
MaxReceiveSize=5840, AssocGroupId=1, ServerAddress="\pipe\svcctl", Result=0, Reason=0, TransferId=<register EDI not
in topmost frame>) [/srv/amorozov/Projects/winehq/dlls/rpcrt4/rpc_message.c:274] in rpcrt4 (0x0074e988)
8 0x7eb78038 RPCRT4_worker_thread+0x378(the_arg=0x113bc8)
[/srv/amorozov/Projects/winehq/dlls/rpcrt4/rpc_server.c:193] in rpcrt4 (0x0074e9f8)
9 0x7bc78315 worker_thread_proc+0xf5(param=(nil))
[/srv/amorozov/Projects/winehq/dlls/ntdll/../../include/wine/port.h:411] in ntdll (0x0074ea68)
10 0x7bc6bbd8 call_thread_func+0xc() in ntdll (0x0074ea78)
11 0x7bc6bdd0 call_thread_entry_point+0x70(entry=0x7bc78220, arg=(nil))
[/srv/amorozov/Projects/winehq/dlls/ntdll/signal_i386.c:2301] in ntdll (0x0074eb48)
12 0x7bc74415 start_thread+0xf5(info=0x7ffccfb8) [/srv/amorozov/Projects/winehq/dlls/ntdll/thread.c:439] in ntdll
(0x0074f398)
13 0xb7e88480 start_thread+0xa0() in libpthread.so.0 (0x0074f498)
14 0xb7dfd37e __clone+0x5e() in libc.so.6 (0x00000000)
err:seh:raise_exception Unhandled exception code c0000005 flags 0 addr 0x7eac9946
wine client error:16: write: Bad file descriptor
err:process:__wine_kernel_init boot event wait timed out
ALSA lib seq_hw.c:457:(snd_seq_hw_open) open /dev/snd/seq failed: No such file or directory
-------------- next part --------------
From bae879a0961e338a7cc59df967e1e1e10b21abdf Mon Sep 17 00:00:00 2001
From: Alexander Morozov <amorozov at etersoft.ru>
Date: Thu, 16 Jul 2009 15:57:01 +0400
Subject: [PATCH] rpcrt4: Use memcpy instead of strcpy to prevent a crash.
---
dlls/rpcrt4/rpc_message.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/dlls/rpcrt4/rpc_message.c b/dlls/rpcrt4/rpc_message.c
index cddfbd5..8d27a8c 100644
--- a/dlls/rpcrt4/rpc_message.c
+++ b/dlls/rpcrt4/rpc_message.c
@@ -269,7 +269,7 @@ RpcPktHdr *RPCRT4_BuildBindAckHeader(ULONG DataRepresentation,
header->bind_ack.assoc_gid = AssocGroupId;
server_address = (RpcAddressString*)(&header->bind_ack + 1);
server_address->length = strlen(ServerAddress) + 1;
- strcpy(server_address->string, ServerAddress);
+ memcpy(server_address->string, ServerAddress, server_address->length);
/* results is 4-byte aligned */
results = (RpcResults*)((ULONG_PTR)server_address + ROUND_UP(FIELD_OFFSET(RpcAddressString, string[server_address->length]), 4));
results->num_results = 1;
--
1.6.3.3
More information about the wine-patches
mailing list