http://bugs.winehq.org/show_bug.cgi?id=20850
Summary: Write buffer overflow in WidenPath() Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
http://kegel.com/wine/valgrind/logs/2009-11-19-08.35/vg-gdi32_path.txt has the warning Invalid write of size 4 at PATH_WidenPath (path.c:1911) by WidenPath (path.c:2232) by test_widenpath (path.c:68) by func_path (path.c:508) by run_test (test.h:535) by main (test.h:585) Address 0x7f03bb48 is 0 bytes after a block of size 0 alloc'd at notify_alloc (heap.c:279) by RtlAllocateHeap (heap.c:1521) by PATH_WidenPath (path.c:1910) by WidenPath (path.c:2232) by test_widenpath (path.c:68)
The same problem appears in current sources, and has probably been there since 2007.
Looking at WidenPath(), it seems that maybe numStrokes should start at 1, not 0?
http://bugs.winehq.org/show_bug.cgi?id=20850
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com 2009-11-28 01:43:44 --- (In reply to comment #0)
Looking at WidenPath(), it seems that maybe numStrokes should start at 1, not 0?
Yeah, I think you're right, this looks pretty odd: --- numStrokes = 0;
pStrokes = HeapAlloc(GetProcessHeap(), 0, numStrokes * sizeof(GdiPath*)); ---
http://bugs.winehq.org/show_bug.cgi?id=20850
Laurent Vromman laurent@vromman.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |laurent@vromman.org
--- Comment #2 from Laurent Vromman laurent@vromman.org 2009-11-28 07:44:04 --- My mistake...
I've written a correction. I just need to test it and make a clean patch. This will be done ASAP.
http://bugs.winehq.org/show_bug.cgi?id=20850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|wine-bugs@winehq.org |laurent@vromman.org
--- Comment #3 from Dan Kegel dank@kegel.com 2009-11-28 11:00:59 --- Laurent asked to be assigned...
http://bugs.winehq.org/show_bug.cgi?id=20850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wine-bugs@winehq.org
http://bugs.winehq.org/show_bug.cgi?id=20850
--- Comment #4 from Laurent Vromman laurent@vromman.org 2009-11-28 19:05:49 --- Created an attachment (id=24997) --> (http://bugs.winehq.org/attachment.cgi?id=24997) Proposed patch to correct the bug
This patch has been sent to wine-patches@winehq.org
http://bugs.winehq.org/show_bug.cgi?id=20850
--- Comment #5 from Juan Lang juan_lang@yahoo.com 2009-11-30 18:51:55 --- Laurent, your patch was rejected. It looks like it might have been mangled by your email program, try attaching it as a text file and resending it.
http://bugs.winehq.org/show_bug.cgi?id=20850
--- Comment #6 from Dan Kegel dank@kegel.com 2009-11-30 18:54:35 --- Laurent, it's ok, I'll send a patch. Thanks for your help!
http://bugs.winehq.org/show_bug.cgi?id=20850
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #7 from Nikolay Sivov bunglehead@gmail.com 2009-12-11 05:17:58 --- This is fixed already by commit b5ca0a9c2a55b0420cda6cea931d1490eda66bb8.
http://bugs.winehq.org/show_bug.cgi?id=20850
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org 2009-12-18 13:07:59 --- Closing bugs fixed in 1.1.35.
-
wine-bugs@winehq.org