http://bugs.winehq.org/show_bug.cgi?id=20841
Summary: Read buffer overflow in test_GetSidSubAuthority? Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: advapi32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com CC: xerox_xerox2000@yahoo.co.uk
http://kegel.com/wine/valgrind/logs/2009-11-26-06.08/vg-advapi32_security.tx... complains Invalid read of size 4 at test_GetSidSubAuthority (security.c:3212) Address 0x7f037878 is 0 bytes after a block of size 24 alloc'd at notify_alloc (heap.c:247) by RtlAllocateHeap (heap.c:1695) by HeapAlloc (heap.c:276) by GlobalAlloc (heap.c:369) by LocalAlloc (heap.c:969) by ConvertStringSidToSidW (security.c:4857) by ConvertStringSidToSidA (security.c:4885) by test_GetSidSubAuthority (security.c:3200)
The code in question is
3200 ok(pConvertStringSidToSidA("S-1-5-21-93476-23408-4576",&psid),"ConvertStringSidToSidA failed\n"); ... 3203 ok(*pGetSidSubAuthorityCount(psid) == 4,"GetSidSubAuthorityCount gave %d expected 4\n",*pGetSidSubAuthorityCount(psid)); ... 3212 todo_wine ok(*pGetSidSubAuthority(psid,4) == 0,"GetSidSubAuthority gave %d,expected 0\n",*pGetSidSubAuthority(psid,4));
http://support.microsoft.com/kb/286182 makes me think the 2nd arg to GetSideSubAuthority is zero-based, so it seems like that test is overrunning the buffer, and line 3212 should be deleted. What say?