[Bug 37820] New: Import of registry files via builtin 'regedit' causes REG_SZ values with additional NULL terminator being written to registry

https://bugs.winehq.org/show_bug.cgi?id=37820

Bug ID: 37820 Summary: Import of registry files via builtin 'regedit' causes REG_SZ values with additional NULL terminator being written to registry Product: Wine Version: 1.7.33 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: programs Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

found while investigating bug 37818

After putting in a substitute for CLSID '{0003000D-0000-0000-C000-000000000046}' (Sound OLE1 class) into registry via .reg file import it still fails the same way.

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Monopolie

$ WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+ntdll,+reg,+server wine ./Monopolie\ 0.9.7.exe >>log.txt 2>&1 ... 0009:Call ole32.OleLoad(0020bab8,73476c78,01149714,0033e6f4) ret=734aa991 0009:trace:ole:OleLoad (0x20bab8, {00000112-0000-0000-c000-000000000046}, 0x1149714, 0x33e6f4) 0009:trace:ole:CoCreateInstance (rclsid={0003000d-0000-0000-c000-000000000046}, pUnkOuter=(nil), dwClsContext=00000003, riid={00000112-0000-0000-c000-000000000046}, ppv=0x33e5fc) 0009:trace:ole:CoGetTreatAsClass ({0003000d-0000-0000-c000-000000000046},0x33e4e8) 0009:Call ntdll.RtlInitUnicodeString(0033e330,0033e382 L"CLSID\{0003000D-0000-0000-C000-000000000046}") ret=7e94c764 0009:Ret ntdll.RtlInitUnicodeString() retval=0033e330 ret=7e94c764 0009:Call ntdll.NtOpenKey(0033e37c,00020019,0033e338) ret=7e94c780 0009:trace:reg:NtOpenKey (0x6c,L"CLSID\{0003000D-0000-0000-C000-000000000046}",20019,0x33e37c) 0009: open_key( parent=006c, access=00020019, attributes=00000000, name=L"CLSID\{0003000D-0000-0000-C000-000000000046}" ) 0009: open_key() = 0 { hkey=00a0 } 0009:trace:reg:NtOpenKey <- 0xa0 0009:Ret ntdll.NtOpenKey() retval=00000000 ret=7e94c780 0009:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e94c78b 0009:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e94c78b 0009:Call ntdll.RtlInitUnicodeString(0033e330,7ea301f4 L"TreatAs") ret=7e94c764 0009:Ret ntdll.RtlInitUnicodeString() retval=0033e330 ret=7e94c764 0009:Call ntdll.NtOpenKey(0033e468,00020019,0033e338) ret=7e94c780 0009:trace:reg:NtOpenKey (0xa0,L"TreatAs",20019,0x33e468) 0009: open_key( parent=00a0, access=00020019, attributes=00000000, name=L"TreatAs" ) 0009: open_key() = 0 { hkey=00a4 } 0009:trace:reg:NtOpenKey <- 0xa4 0009:Ret ntdll.NtOpenKey() retval=00000000 ret=7e94c780 0009:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e94c78b 0009:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e94c78b 0009:Call advapi32.RegCloseKey(000000a0) ret=7e9511f9 0009: close_handle( handle=00a0 ) 0009: close_handle() = 0 0009:Ret advapi32.RegCloseKey() retval=00000000 ret=7e9511f9 0009:Call advapi32.RegQueryValueW(000000a4,00000000,0033e41a,0033e414) ret=7e9542a8 0009:trace:reg:RegQueryValueW (0xa4,(null),0x33e41a,78) 0009:trace:reg:RegQueryValueExW (0xa4,(null),(nil),(nil),0x33e41a,0x33e414=78) 0009:trace:reg:NtQueryValueKey (0xa4,(null),2,0x33e1fc,90) 0009: get_key_value( hkey=00a4, name=L"" ) 0009: get_key_value() = 0 { type=1, total=80, data={7b,00,46,00,32,00,30,00,44,00,41,00,37,00,32,00,30,00,2d,00,43,00,30,00,32,00,46,00,2d,00,31,00,31,00,43,00,45,00,2d,00,39,00,32,00,37,00,42,00,2d,00,30,00,38,00,30,00,30,00,30,00,39,00,35,00,41,00,45,00,33,00,34,00,30,00,7d,00,00,00} } 0009:Ret advapi32.RegQueryValueW() retval=000000ea ret=7e9542a8 0009:Call advapi32.RegCloseKey(000000a4) ret=7e954347 0009: close_handle( handle=00a4 ) 0009: close_handle() = 0 0009:Ret advapi32.RegCloseKey() retval=00000000 ret=7e954347 0009:trace:ole:CoGetClassObject CLSID: {0003000d-0000-0000-c000-000000000046},IID: {00000001-0000-0000-c000-000000000046} ... --- snip ---

The caller reads the CLSID value using buffer of 78 bytes which is CHARS_IN_GUID (39), including NULL terminator.

Surprisingly wineserver returned "2 more bytes available" (essentially another NULL terminator) -> STATUS_BUFFER_OVERFLOW.

Directly looking at the registry hive data reveals the problem:

--- snip --- $ grep -A2 "{0003000D-0000-0000-C000-000000000046}" system.reg

[Software\Classes\CLSID\{0003000D-0000-0000-C000-000000000046}] 1420142748 @="Sound\0"

[Software\Classes\CLSID\{0003000D-0000-0000-C000-000000000046}\NotInsertable] 1420142748

[Software\Classes\CLSID\{0003000D-0000-0000-C000-000000000046}\TreatAs] 1420142748 @="{F20DA720-C02F-11CE-927B-0800095AE340}\0" --- snip ---

Upon import with 'regedit', REG_SZ values got another NULL terminator besides the "builtin" one appended, causing breakage later.

--- snip --- ... 0009:Call advapi32.RegCreateKeyExW(80000000,0011936e L"CLSID\{0003000D-0000-0000-C000-000000000046}\TreatAs",00000000,00000000,00000000,000f003f,00000000,7ed85c3c,0033f660) ret=7ed2021d 0009:trace:reg:NtCreateKey (0x24,L"CLSID\{0003000D-0000-0000-C000-000000000046}\TreatAs",(null),0,f003f,0x7ed85c3c) 0009: create_key( parent=0024, access=000f003f, attributes=00000000, options=00000000, namelen=104, name=L"CLSID\{0003000D-0000-0000-C000-000000000046}\TreatAs", class=L"" ) 0009: create_key() = 0 { hkey=0028, created=1 } 0009:trace:reg:NtCreateKey <- 0x28 ... 0009:Call ntdll.strpbrk(0011ebf8 "@="{F20DA720-C02F-11CE-927B-0800095AE340}"\r\n",7ed260db "\r\n") ret=7ed20b14 0009:Ret ntdll.strpbrk() retval=0011ec22 ret=7ed20b14 0009:Call msvcrt.feof(7ec8e440) ret=7ed20b22 0009:Ret msvcrt.feof() retval=00000000 ret=7ed20b22 0009:Call KERNEL32.MultiByteToWideChar(00000000,00000000,0011ebf8 "@="{F20DA720-C02F-11CE-927B-0800095AE340}"",ffffffff,00000000,00000000) ret=7ed1f423 0009:Ret KERNEL32.MultiByteToWideChar() retval=0000002b ret=7ed1f423 0009:Call ntdll.RtlAllocateHeap(00110000,00000000,00000056) ret=7ed1f452 0009:Ret ntdll.RtlAllocateHeap() retval=00119348 ret=7ed1f452 0009:Call KERNEL32.MultiByteToWideChar(00000000,00000000,0011ebf8 "@="{F20DA720-C02F-11CE-927B-0800095AE340}"",ffffffff,00119348,0000002b) ret=7ed1f4d2 0009:Ret KERNEL32.MultiByteToWideChar() retval=0000002b ret=7ed1f4d2 0009:Call KERNEL32.lstrcmpW(0011934c L""{F20DA720-C02F-11CE-927B-0800095AE340}"",0033f5d8 L"-") ret=7ed1ff56 0009:Ret KERNEL32.lstrcmpW() retval=00000001 ret=7ed1ff56 0009:Call advapi32.RegSetValueExW(00000028,00119348 L"",00000000,00000001,0011934e,00000050) ret=7ed2014b 0009:trace:reg:NtSetValueKey (0x28,L"",1,0x11934e,80) 0009: set_key_value( hkey=0028, type=1, namelen=0, name=L"", data={7b,00,46,00,32,00,30,00,44,00,41,00,37,00,32,00,30,00,2d,00,43,00,30,00,32,00,46,00,2d,00,31,00,31,00,43,00,45,00,2d,00,39,00,32,00,37,00,42,00,2d,00,30,00,38,00,30,00,30,00,30,00,39,00,35,00,41,00,45,00,33,00,34,00,30,00,7d,00,00,00,00,00} ) 0009: set_key_value() = 0 0009:Ret advapi32.RegSetValueExW() retval=00000000 ret=7ed2014b --- snip ---

Source: http://source.winehq.org/git/wine.git/blob/fb37d215cd31bcd0adafa87c1d216027c...

Likely the result of http://source.winehq.org/git/wine.git/commitdiff/c35bca6561a0150425a1838d467... and probably not intended.

$ sha1sum monopolie0.9.7-installer.exe b7cff9b04b11c55b5d1fa4cddb2f0914f61b6653 monopolie0.9.7-installer.exe

$ du -sh monopolie0.9.7-installer.exe 1.7M monopolie0.9.7-installer.exe

$ wine --version wine-1.7.33-117-g6bab173

Regards