[Bug 20860] New: Read buffer overflow in INTERNET_SendCallback in wininet... calling strlen on non-nul-terminated buffer?
http://bugs.winehq.org/show_bug.cgi?id=20860 Summary: Read buffer overflow in INTERNET_SendCallback in wininet... calling strlen on non-nul-terminated buffer? Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: wininet AssignedTo: wine-bugs(a)winehq.org ReportedBy: dank(a)kegel.com The sixth error in http://kegel.com/wine/valgrind/logs/2009-11-27-12.53/vg-urlmon_protocol.txt is Invalid read of size 2 at strlenW (unicode.h:216) by heap_strdupW (internet.h:65) by INTERNET_SendCallback (utility.c:313) by SendAsyncCallbackProc (utility.c:351) by INTERNET_WorkerThreadFunc (internet.c:3128) by worker_thread_proc (threadpool.c:114) Address 0x7f0ccac6 is 0 bytes after a block of size 14 alloc'd at RtlAllocateHeap (heap.c:1697) by SendAsyncCallback (utility.c:380) by FTP_Connect (ftp.c:2447) by INTERNET_InternetOpenUrlW (internet.c:2860) by AsyncInternetOpenUrlProc (internet.c:2946) by INTERNET_WorkerThreadFunc (internet.c:3128) It looks like wininet's INTERNET_SendCallback() function is using strlen when it shouldn't... it's even passed the length as a parameter? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20860 --- Comment #1 from Juan Lang <juan_lang(a)yahoo.com> 2009-12-03 20:19:42 --- The error is in the caller, which is passing too short a buffer. I'll send a patch for this error, but others remain, especially in ftp.c. Here's one: SendAsyncCallback(&hIC->hdr, dwContext, INTERNET_STATUS_CONNECTED_TO_SERVER, &socketAddr, sock_namelen); Note that utility.c assumes the lpvStatusInfo is a wide string, not a socket address. Unless FTP cannot be used in async mode (I don't really know), this is clearly bogus. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20860 --- Comment #2 from Juan Lang <juan_lang(a)yahoo.com> 2009-12-03 20:21:28 --- Patch sent: http://www.winehq.org/pipermail/wine-patches/2009-December/082211.html -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20860 Hans Leidekker <hans(a)meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hans(a)meelstraat.net --- Comment #3 from Hans Leidekker <hans(a)meelstraat.net> 2009-12-04 06:49:18 --- I submitted a patch for the bug mentioned in comment #1: http://www.winehq.org/pipermail/wine-patches/2009-December/082227.html -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20860 Juan Lang <juan_lang(a)yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Juan Lang <juan_lang(a)yahoo.com> 2009-12-04 09:44:45 --- Fixed by commit b967fde0a86e5adaa7233d76b4691d6a5f5686ad. Hans helpfully fixed the other bug I pointed out in 5f082498319ce279c7b5dfc381a2808dd76066fd, and even added tests--w00t! Thanks Hans. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20860 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> 2009-12-04 12:16:41 --- Closing bugs fixed in 1.1.34. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org