http://bugs.winehq.org/show_bug.cgi?id=10649
Summary: Regression in RegQueryValueExA when called in unorthodox manner Product: Wine Version: CVS/GIT Platform: All OS/Version: All Status: UNCONFIRMED Severity: trivial Priority: P5 Component: wine-advapi32 AssignedTo: wine-bugs@winehq.org ReportedBy: samuel.howard.dennis@gmail.com
commit bc590e87a6f9c7421ec3386a7c09a63a3e55dead (16/08/2006, Robert Shearman, affects advapi) caused a regression in one of my own programs in which I'd used an unusual calling convention for RegQueryValueEx, being this:
char buf[16]; /* or 1 in the particular call that was failing */ DWORD count = sizeof buf; LONG ret; ret = RegQueryValueEx(hkey, "ValueName", NULL, &count, buf, &count); /* value left in count is never checked */
This works under real windows (9x at least, I never ran the program on installs of later Windows versions), but WINE does this before retrieving the value:
if (type) *type = REG_NONE;
...which sets count to 0 since I pass the same address for both type and count in the call; this value is later used to determine the buffer size and triggers an overflow error.
I am having trouble understanding the precise intent of the troublesome line (when is *type supposed to be set to REG_NONE? On any error? On any error other than buffer overflow? (This is the current WINE behaviour, as *type is unconditionally set again after copying the data)), but clearly assignments happen only after all processing in genuine Windows or *count is read early and that value is used throughout the function.
I don't know which fix is appropriate, and am not sure how this case behaves across different versions of Windows so I'm submitting this bug instead of a patch. It is trivial to fix either way.
There is also the issue of which value (type or count) is left in the single variable after the call, but calling this way and then checking that is even more perverse and nobody has probably ever done it.