msvcrt.ecvt on Win9x and NT4 will corrupt memory if nrdigits < 0
Greg Geldorp
ggeldorp at vmware.com
Mon Jul 19 06:24:53 CDT 2010
msvcrt:printf produces 3 failures on Win9x/NT4 (see
http://test.winehq.org/data/tests/msvcrt:printf.html, which should be skips.
Turns out that by the time the win_skip()s are executed, the
winetest_platform
value is "window" instead of "windows". This is in turn caused by calling
_ecvt
with a negative value for nrdigits.
The problem only occurs when environment variable WINETEST_PLATFORM is
set. In
that case, winetest_platform points to a variable allocated using
strdup(),
so on the msvcrt heap. winetest.exe by default sets WINETEST_PLATFORM so the
problem is visible for winetest.exe runs
It appears that Win9x/NT4 _ecvt is buggy, looks like it allocates some memory
and then uses its "count" argument without checking for < 0, possibly for
setting a NUL byte. This corrupts memory not belonging to _ecvt.
---
dlls/msvcrt/tests/printf.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9365bda3a1e85b3a090d902b2f804df9cb52015b.diff
Type: text/x-patch
Size: 983 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20100719/7b08513d/attachment.bin>
More information about the wine-patches
mailing list