https://bugs.winehq.org/show_bug.cgi?id=48245

Bug ID: 48245 Summary: wbemlocator parse_resource contains non-null terminated string, causing garbage output in trace logs Product: Wine Version: 4.21 Hardware: x86-64 OS: Linux Status: NEW Severity: trivial Priority: P2 Component: wmi&wbemprox Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

found while investigating/relay tracing an app that makes use of WMI:

--- snip --- ... 004a:trace:wbemprox:wbem_locator_ConnectServer 0077F6A0, L"\\.\ROOT\CIMV2", (null), (null), (null), 0x00000000, (null), 00000000, 0146FE14) 004a:Call ntdll.RtlAllocateHeap(00110000,00000000,00000004) ret=6795ad1b 004a:trace:heap:RtlAllocateHeap (0x110000,70000062,00000004): returning 0x77cd30 004a:Ret ntdll.RtlAllocateHeap() retval=0077cd30 ret=6795ad1b 004a:Call msvcrt.memcpy(0077cd30,001f4ec8,00000002) ret=6795ad3b 004a:Ret msvcrt.memcpy() retval=0077cd30 ret=6795ad3b 004a:Call msvcrt._wcsnicmp(6796ab4c L"ROOT\3130\3332\3534\3736\3938\6261\6463\6665\6277\6d65\6c5f\636f\7461\726f\435f\6e6f\656e\7463\6553\7672\7265",001f4ecc L"ROOT\CIMV2",00000004) ret=6795b074 004a:Ret msvcrt._wcsnicmp() retval=00000000 ret=6795b074 004a:Call msvcrt._wcsicmp(001f4ed6 L"CIMV2",6796ab40 L"CIMV2") ret=6795aec0 004a:Ret msvcrt._wcsicmp() retval=00000000 ret=6795aec0 004a:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=6795af05 004a:trace:heap:RtlAllocateHeap (0x110000,70000062,0000000c): returning 0x1d3af0 004a:Ret ntdll.RtlAllocateHeap() retval=001d3af0 ret=6795af05 004a:Call msvcrt.memcpy(001d3af0,001f4ecc,0000000a) ret=6795af25 004a:Ret msvcrt.memcpy() retval=001d3af0 ret=6795af25 004a:Call msvcrt.wcscmp(0077cd30 L".",6796ab2c L".") ret=6795abe6 004a:Ret msvcrt.wcscmp() retval=00000000 ret=6795abe6 004a:trace:wbemprox:WbemServices_create (0146FE14) ... --- snip ---

The trace log contains garbage characters because the string is not NULL terminated. Technically there is nothing wrong here - but still it would make the log output less suspicious (uninitialized/corrupted memory).

Wine source:

https://source.winehq.org/git/wine.git/blob/dba0dd41613a91f17142a9bd8ea12b5a...

--- snip --- 99 static HRESULT parse_resource( const WCHAR *resource, WCHAR **server, WCHAR **namespace ) 100 { 101 static const WCHAR rootW[] = {'R','O','O','T'}; 102 static const WCHAR cimv2W[] = {'C','I','M','V','2',0}; 103 static const WCHAR defaultW[] = {'D','E','F','A','U','L','T',0}; 104 HRESULT hr = WBEM_E_INVALID_NAMESPACE; 105 const WCHAR *p, *q; 106 unsigned int len; 107 108 *server = NULL; 109 *namespace = NULL; 110 p = q = resource; 111 if (*p == '\' || *p == '/') 112 { 113 p++; 114 if (*p == '\' || *p == '/') p++; 115 if (!*p) return WBEM_E_INVALID_NAMESPACE; 116 if (*p == '\' || *p == '/') return WBEM_E_INVALID_PARAMETER; 117 q = p + 1; 118 while (*q && *q != '\' && *q != '/') q++; 119 if (!*q) return WBEM_E_INVALID_NAMESPACE; 120 len = q - p; 121 if (!(*server = heap_alloc( (len + 1) * sizeof(WCHAR) ))) 122 { 123 hr = E_OUTOFMEMORY; 124 goto done; 125 } 126 memcpy( *server, p, len * sizeof(WCHAR) ); 127 (*server)[len] = 0; 128 q++; 129 } 130 if (!*q) goto done; 131 p = q; 132 while (*q && *q != '\' && *q != '/') q++; 133 len = q - p; 134 if (len >= ARRAY_SIZE( rootW ) && wcsnicmp( rootW, p, len )) goto done; 135 if (!*q) ... 158 return hr; 159 } --- snip ---

Line 101 'rootW' causing garbage trace output in line 134.

$ wine --version wine-4.21-183-gac24504034

Regards