[Bug 30418] New: regedit crash on export some binary values

http://bugs.winehq.org/show_bug.cgi?id=30418

Bug #: 30418 Summary: regedit crash on export some binary values Product: Wine Version: 1.5.1 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: programs AssignedTo: wine-bugs@winehq.org ReportedBy: basinilya@gmail.com Classification: Unclassified

I have a key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\HDA Intel\Master (see attached file) and when i try to export it, regedit crashes.

The crash happens in REGPROC_write_line() when it tries to write the binary value and tells something about heap (see attached output.txt)

I checked with winedbg where exactly the heap corrupts: REGPROC_export_binary(...) { ... lstrcpyW(*line_buf + data_pos, newline); <-- here HeapFree(GetProcessHeap(), 0, value_multibyte); }

[il@il wine]$ ./wine winedbg --gdb regedit.exe ... Wine-gdb> b regproc.c:1054 Breakpoint 1 at 0x7ebc5a65: file regproc.c, line 1054. Wine-gdb> cont Continuing.

Breakpoint 1, REGPROC_export_binary (line_buf=0x33e044, line_buf_size=0x33e034, line_len=0x33df78, type=3, value=0x17e3f0 "", value_size=1848, unicode=0) at regproc.c:1054 1054 lstrcpyW(*line_buf + data_pos, newline); Wine-gdb> list 1049 data_pos += concat_len; 1050 column = concat_prefix; 1051 } 1052 } 1053 } 1054 lstrcpyW(*line_buf + data_pos, newline); 1055 HeapFree(GetProcessHeap(), 0, value_multibyte); 1056 } 1057 1058 /****************************************************************************** Wine-gdb> call HeapAlloc(GetProcessHeap(), 0, 8192) $1 = (void *) 0x182258 Wine-gdb> call HeapFree(GetProcessHeap(), 0, $) $2 = 1 Wine-gdb> n 1055 HeapFree(GetProcessHeap(), 0, value_multibyte); Wine-gdb> call HeapAlloc(GetProcessHeap(), 0, 8192)

Program received signal SIGSEGV, Segmentation fault. 0x7bc480d3 in HEAP_CreateFreeBlock (subheap=0x110014, ptr=0x184258, size=581640) at heap.c:590 590 (*(DWORD *)((char *)ptr + size) & ARENA_FLAG_FREE)) The program being debugged was signaled while in a function called from GDB. GDB remains in the frame where the signal was received. To change this behavior use "set unwindonsignal on". Evaluation of the expression containing the function (HeapAlloc) will be abandoned. When the function is done executing, GDB will silently stop.