advapi32/tests: Fix a buffer overflow when calling GetEventLogInformation.
Thomas Faber
thomas.faber at reactos.org
Mon Aug 11 13:09:22 CDT 2014
The test passes 2 * sizeof(EVENTLOG_FULL_INFORMATION) to the function
but only provides buffer space for one struct. The function zeroes out
the rest of a buffer passed in, so this overflows.
Found by MSVC runtime stack checking.
-------------- next part --------------
From 5f52d9a6b09dd7c2482f32acc4309b2a71011c99 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber at reactos.org>
Date: Mon, 11 Aug 2014 20:01:53 +0200
Subject: advapi32/tests: Fix a buffer overflow when calling
GetEventLogInformation.
---
dlls/advapi32/tests/eventlog.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/dlls/advapi32/tests/eventlog.c b/dlls/advapi32/tests/eventlog.c
index a3fe44b..1e48348 100644
--- a/dlls/advapi32/tests/eventlog.c
+++ b/dlls/advapi32/tests/eventlog.c
@@ -130,7 +130,8 @@ static void test_info(void)
HANDLE handle;
BOOL ret;
DWORD needed;
- EVENTLOG_FULL_INFORMATION efi;
+ BYTE buffer[2 * sizeof(EVENTLOG_FULL_INFORMATION)];
+ EVENTLOG_FULL_INFORMATION *efi = (void *)buffer;
if (!pGetEventLogInformation)
{
@@ -161,26 +162,26 @@ static void test_info(void)
ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
- ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, NULL);
+ ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
needed = 0xdeadbeef;
- efi.dwFull = 0xdeadbeef;
- ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, &needed);
+ efi->dwFull = 0xdeadbeef;
+ ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, &needed);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
- ok(efi.dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
+ ok(efi->dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
/* Not that we care, but on success last error is set to ERROR_IO_PENDING */
- efi.dwFull = 0xdeadbeef;
- needed *= 2;
- ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, needed, &needed);
+ efi->dwFull = 0xdeadbeef;
+ needed = sizeof(buffer);
+ ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, needed, &needed);
ok(ret, "Expected success\n");
ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
- ok(efi.dwFull == 0 || efi.dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi.dwFull);
+ ok(efi->dwFull == 0 || efi->dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi->dwFull);
CloseEventLog(handle);
}
--
1.9.0.msysgit.0
More information about the wine-patches
mailing list