http://bugs.winehq.org/show_bug.cgi?id=20760

Summary: Write buffer overrun in CreateFileMoniker() Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: source, testcase Severity: normal Priority: P2 Component: ole32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com

http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/diff-hlink_hlink.txt http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-hlink_hlink.txt shows a new error thanks to the heap tail check.

Looks like a level-of-indirection-during-allocation error, 1039 strgtable = CoTaskMemAlloc(len*sizeof(WCHAR)); should be 1039 strgtable = CoTaskMemAlloc(len*sizeof(WCHAR *));

Ulrich, you were in there last, could you have a look?

Invalid write of size 4 at FileMonikerImpl_DecomposePath (filemoniker.c:1056) by FileMonikerImpl_Construct (filemoniker.c:1375) by CreateFileMoniker (filemoniker.c:1443) by FileMoniker_CreateFromDisplayName (filemoniker.c:1484) by MkParseDisplayName (moniker.c:1130) by HlinkCreateFromString (hlink_main.c:124) by test_persist (hlink.c:479) by func_hlink (hlink.c:1122) by run_test (test.h:535) by main (test.h:585) Address 0x7f04416c is 4 bytes inside a block of size 6 alloc'd at notify_alloc (heap.c:279) by RtlAllocateHeap (heap.c:1521) by IMalloc_fnAlloc (ifs.c:186) by CoTaskMemAlloc (ifs.c:562) by FileMonikerImpl_DecomposePath (filemoniker.c:1039) by FileMonikerImpl_Construct (filemoniker.c:1375) by CreateFileMoniker (filemoniker.c:1443) by FileMoniker_CreateFromDisplayName (filemoniker.c:1484) by MkParseDisplayName (moniker.c:1130) by HlinkCreateFromString (hlink_main.c:124) by test_persist (hlink.c:479)

This can be reproduced locally by setting up valgrind as described in http://wiki.winehq.org/Valgrind and applying the heap tail check patch to wine, starting winemine (to avoid valgrinding services), then running

cd dlls/ole32/tests WINETEST_PLATFORM=wine WINE_HEAP_REDZONE=16 valgrind --trace-children=yes --track-origins=yes --num-callers=30 wine ole32_test.exe.so moniker

although when I do that with today's sources, I get the slightly different error

Invalid write of size 4 at FileMonikerImpl_DecomposePath (filemoniker.c:1087) by FileMonikerImpl_Construct (filemoniker.c:1375) by FileMonikerCF_CreateInstance (filemoniker.c:1593) by CoCreateInstance (compobj.c:2502) by get_unmarshaler_from_stream (marshal.c:1575) by CoReleaseMarshalData (marshal.c:1882) by rot_entry_delete (moniker.c:182) by RunningObjectTableImpl_Revoke (moniker.c:595) by test_ROT (moniker.c:632) by func_moniker (moniker.c:1943) Address 0x7f03fcb0 is 0 bytes after a block of size 0 alloc'd at notify_alloc (heap.c:279) by RtlAllocateHeap (heap.c:1521) by IMalloc_fnAlloc (ifs.c:186) by CoTaskMemAlloc (ifs.c:562) by FileMonikerImpl_DecomposePath (filemoniker.c:1039) by FileMonikerImpl_Construct (filemoniker.c:1375) by FileMonikerCF_CreateInstance (filemoniker.c:1593) by CoCreateInstance (compobj.c:2502) by get_unmarshaler_from_stream (marshal.c:1575) by CoReleaseMarshalData (marshal.c:1882) by rot_entry_delete (moniker.c:182) by RunningObjectTableImpl_Revoke (moniker.c:595) by test_ROT (moniker.c:632) by func_moniker (moniker.c:1943)

There's a simpler, similar looking error later on:

Invalid write of size 4 at 0xD876677: FileMonikerImpl_DecomposePath (filemoniker.c:1087) by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375) by 0xD877514: CreateFileMoniker (filemoniker.c:1443) by 0xCF306BC: test_file_moniker (moniker.c:1387) by 0xCF30A50: test_file_monikers (moniker.c:1448) by 0xCF333FC: func_moniker (moniker.c:1947) Address 0x7f045468 is 8 bytes inside a block of size 10 alloc'd at 0xCC8463B: notify_alloc (heap.c:279) by 0xCC844D9: RtlAllocateHeap (heap.c:1521) by 0xD87B372: IMalloc_fnAlloc (ifs.c:186) by 0xD87C38E: CoTaskMemAlloc (ifs.c:562) by 0xD8764EA: FileMonikerImpl_DecomposePath (filemoniker.c:1039) by 0xD8771E0: FileMonikerImpl_Construct (filemoniker.c:1375) by 0xD877514: CreateFileMoniker (filemoniker.c:1443) by 0xCF306BC: test_file_moniker (moniker.c:1387)