[Bug 53172] New: advapi32:registry - test_enum_value() has a pair of rare failures in UTF-8 system locales
https://bugs.winehq.org/show_bug.cgi?id=53172
Bug ID: 53172 Summary: advapi32:registry - test_enum_value() has a pair of rare failures in UTF-8 system locales Product: Wine Version: unspecified Hardware: x86-64 OS: Windows Status: NEW Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs@winehq.org Reporter: fgouget@codeweavers.com
advapi32:registry - test_enum_value() has a pair of rare failures in UTF-8 system locales:
registry.c:558: Test failed: data set to 'xxxxxxxxxxxxxxxxxxxx' instead of 'foobar' or x's, data_count=21 registry.c:576: Test failed: data set to 'xxxxxxxxxxxxxxxxxxxx' instead of 'foobar' or x's, data_count=21
https://test.winehq.org/data/patterns.html#advapi32:registry
The line 558 and 576 failures happen about with the same frequency (~13% each) but independently from each other so that most times there is at most one in the report.
And they only happen in the TestBot's two UTF-8 test configurations: w10pro64-en-AE-u8 and w10pro64-hi-u8.
https://bugs.winehq.org/show_bug.cgi?id=53172
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source, testcase
https://bugs.winehq.org/show_bug.cgi?id=53172
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|wine-bugs@winehq.org |fgouget@codeweavers.com
--- Comment #1 from François Gouget fgouget@codeweavers.com --- Windows's behavior RegEnumValueA() is broken in all cases where the name buffer is too small, but particularly so in double-byte and UTF-8 locales.
The test is configured to enumerate a single value:
Test: REG_SZ "foobar"
With: data_count = 20 memset(data, 'x', sizeof(data)) RegEnumValueA(...too small name buffer..., data, &data_count)
We randomly get one of the results below: * data_count=7 This is strlen("foobar")+1 which makes sense data[data_count] = 0 Modifying the buffer makes no sense in the first place. But should it be modified, then it should do data[data_count-1] = 0. Maybe this is a REG_SZ vs. REG_MULTI_SZ issue.
* 7 < data_count < 20 and data[data_count] = 0 The required buffer size is 7, there is no reason to claim more is needed. The returned values don't even seem to be random; it's mostly 8-11 and 13. There is still the data[data_count] vs. data[data_count-1] issue.
* data_count >= 20 and data is unmodified This seems to be specific to the UTF-8 cases (w10pro64_en_AE_u8 and w10pro64_hi_u8). Specifically the only value seen in this case is data_count = 21. Even if the initial data_count value is changed to 16. So why 21??? And fortunately RegEnumValueA() did not try to set data[data_count] = 0 (would be a buffer overflow). This is what's causing the failures for two reasons: - We memset(data, 'x', sizeof(data)) which means it's not \0-terminated. So strspn( data, "x" ) may return anything depending on what comes after the buffer. At least there's only a 1/256 chance of it being wrong. - data[data_count] is also outside the buffer and this time it has a 255/256 chance of being wrong (though in practice it's not random and may be more likely to be 0).
https://bugs.winehq.org/show_bug.cgi?id=53172
--- Comment #2 from François Gouget fgouget@codeweavers.com --- Sent a merge request: https://gitlab.winehq.org/wine/wine/-/merge_requests/2324
https://bugs.winehq.org/show_bug.cgi?id=53172
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Fixed by SHA1| |95f2cc0f15b1dde0318e75e2a7f | |21957fa76af55 Resolution|--- |FIXED
--- Comment #3 from François Gouget fgouget@codeweavers.com --- This should be fixed:
commit 95f2cc0f15b1dde0318e75e2a7f21957fa76af55 Author: François Gouget fgouget@codeweavers.com Date: Fri Mar 3 16:23:07 2023 +0100
advapi32/tests: Fix the RegEnumValueA() tests in UTF-8 locales.
On Windows RegEnumValueA() is buggy such that when the value name buffer is too small, it may way overestimate the required data buffer size, sometimes returning more than the sufficiently large buffer it was provided, in which case that buffer is untouched and thus not NUL-terminated. So modify the tests to accept this broken result and avoid checking out-of-bounds data.
Wine-Bug: https://bugs.winehq.org//show_bug.cgi?id=53172
https://bugs.winehq.org/show_bug.cgi?id=53172
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.4.
-
WineHQ Bugzilla