[Bug 20850] New: Write buffer overflow in WidenPath()
http://bugs.winehq.org/show_bug.cgi?id=20850 Summary: Write buffer overflow in WidenPath() Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: dank(a)kegel.com http://kegel.com/wine/valgrind/logs/2009-11-19-08.35/vg-gdi32_path.txt has the warning Invalid write of size 4 at PATH_WidenPath (path.c:1911) by WidenPath (path.c:2232) by test_widenpath (path.c:68) by func_path (path.c:508) by run_test (test.h:535) by main (test.h:585) Address 0x7f03bb48 is 0 bytes after a block of size 0 alloc'd at notify_alloc (heap.c:279) by RtlAllocateHeap (heap.c:1521) by PATH_WidenPath (path.c:1910) by WidenPath (path.c:2232) by test_widenpath (path.c:68) The same problem appears in current sources, and has probably been there since 2007. Looking at WidenPath(), it seems that maybe numStrokes should start at 1, not 0? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 --- Comment #1 from Nikolay Sivov <bunglehead(a)gmail.com> 2009-11-28 01:43:44 --- (In reply to comment #0)
Looking at WidenPath(), it seems that maybe numStrokes should start at 1, not 0?
Yeah, I think you're right, this looks pretty odd: --- numStrokes = 0; pStrokes = HeapAlloc(GetProcessHeap(), 0, numStrokes * sizeof(GdiPath*)); --- -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 Laurent Vromman <laurent(a)vromman.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |laurent(a)vromman.org --- Comment #2 from Laurent Vromman <laurent(a)vromman.org> 2009-11-28 07:44:04 --- My mistake... I've written a correction. I just need to test it and make a clean patch. This will be done ASAP. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|wine-bugs(a)winehq.org |laurent(a)vromman.org --- Comment #3 from Dan Kegel <dank(a)kegel.com> 2009-11-28 11:00:59 --- Laurent asked to be assigned... -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wine-bugs(a)winehq.org -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 --- Comment #4 from Laurent Vromman <laurent(a)vromman.org> 2009-11-28 19:05:49 --- Created an attachment (id=24997) --> (http://bugs.winehq.org/attachment.cgi?id=24997) Proposed patch to correct the bug This patch has been sent to wine-patches(a)winehq.org -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 --- Comment #5 from Juan Lang <juan_lang(a)yahoo.com> 2009-11-30 18:51:55 --- Laurent, your patch was rejected. It looks like it might have been mangled by your email program, try attaching it as a text file and resending it. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 --- Comment #6 from Dan Kegel <dank(a)kegel.com> 2009-11-30 18:54:35 --- Laurent, it's ok, I'll send a patch. Thanks for your help! -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #7 from Nikolay Sivov <bunglehead(a)gmail.com> 2009-12-11 05:17:58 --- This is fixed already by commit b5ca0a9c2a55b0420cda6cea931d1490eda66bb8. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20850 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Alexandre Julliard <julliard(a)winehq.org> 2009-12-18 13:07:59 --- Closing bugs fixed in 1.1.35. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org