[Bug 20920] New: Regression - read buffer overflow in StorageImpl_Construct in many msi tests
http://bugs.winehq.org/show_bug.cgi?id=20920 Summary: Regression - read buffer overflow in StorageImpl_Construct in many msi tests Product: Wine Version: 1.1.34 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ole32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: dank(a)kegel.com http://kegel.com/wine/valgrind/logs/2009-12-04-18.45/diff-msi_msi.txt http://kegel.com/wine/valgrind/logs/2009-12-04-18.45/vg-msi_msi.txt and the rest of the msi logs for today show a regression like this: Invalid read of size 1 at memcpy (mc_replace_strmem.c:482) by StorageImpl_Construct (storage32.c:2280) by StgCreateDocfile (storage32.c:5696) by MSI_OpenDatabaseW (database.c:121) by MsiOpenDatabaseW (database.c:228) by MsiOpenDatabaseA (database.c:263) by create_package_db (msi.c:150) by test_MsiOpenProduct (msi.c:7194) Address 0x7f0459a2 is 0 bytes after a block of size 26 alloc'd at notify_alloc (heap.c:247) by RtlAllocateHeap (heap.c:1697) by msi_alloc (msipriv.h:1078) by strdupAtoW (msipriv.h:1124) by MsiOpenDatabaseA (database.c:249) by create_package_db (msi.c:150) by test_MsiOpenProduct (msi.c:7194) Did today's ole32 storage changes introduce it? This change looks like it's related: http://www.winehq.org/pipermail/wine-cvs/2009-December/062265.html @@ -2295,6 +2271,9 @@ static HRESULT StorageImpl_Construct( goto end; } strcpyW(This->pwcsName, pwcsName); + + memcpy(This->base.filename, pwcsName, DIRENTRY_NAME_BUFFER_LEN-1); + This->base.filename[DIRENTRY_NAME_BUFFER_LEN-1] = 0; -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Dmitry Timoshkov <dmitry(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression Summary|Regression - read buffer |Read buffer overflow in |overflow in |StorageImpl_Construct in |StorageImpl_Construct in |many msi tests |many msi tests | -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Vincent Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|wine-bugs(a)winehq.org |madewokherd(a)gmail.com --- Comment #1 from Vincent Povirk <madewokherd(a)gmail.com> 2009-12-05 04:50:27 --- Yep, that probably needs an lstrcpynW. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, source, testcase -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 --- Comment #2 from Dan Kegel <dank(a)kegel.com> 2009-12-06 09:37:46 --- http://www.winehq.org/pipermail/wine-patches/2009-December/082318.html looks like a fix. I haven't tried it myself yet. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Vincent Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|madewokherd(a)gmail.com |wine-bugs(a)winehq.org --- Comment #3 from Vincent Povirk <madewokherd(a)gmail.com> 2009-12-08 09:23:29 --- This should be fixed now. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Vincent Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Vincent Povirk <madewokherd(a)gmail.com> 2009-12-09 23:56:55 --- I'm told this particular error is no longer showing up. (Although there are some other interesting warnings in storage32.) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20920 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> 2009-12-18 13:08:03 --- Closing bugs fixed in 1.1.35. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org