http://bugs.winehq.org/show_bug.cgi?id=20918
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID
--- Comment #1 from Juan Lang juan_lang@yahoo.com 2009-12-06 17:42:55 --- That's correct, this appears to be invalid. For example,
Invalid read of size 4 at CryptSetKeyParam (crypt.c:1961) by test_incorrect_api_usage (crypt.c:250)
advapi32/crypt.c, line 1961: if (!key || !pbData || !key->pProvider || key->pProvider->dwMagic != MAGIC_CRYPTPROV)
That is, it dereferences key. advapi32/tests/crypt.c, lines leading up to 250: result = pCryptDestroyKey(hKey2); ok (result, "%d\n", GetLastError());
dwTemp = CRYPT_MODE_ECB; result = pCryptSetKeyParam(hKey2, KP_MODE, (BYTE*)&dwTemp, sizeof(DWORD));
That is, the key has been destroyed just prior to calling CryptSetKeyParam on it. Finally, in CryptDestroyKey: ret = prov->pFuncs->pCPDestroyKey(prov->hPrivate, key->hPrivate); CRYPT_Free(key);
key is a pointer, rather than a handle, and it's been freed. So the read is invalid, as expected.