[Bug 20942] New: Write buffer overflow in MODULE_LoadModule16() causing valgrind warnings in all tests??
http://bugs.winehq.org/show_bug.cgi?id=20942
Summary: Write buffer overflow in MODULE_LoadModule16() causing valgrind warnings in all tests?? Product: Wine Version: 1.1.34 Platform: PC OS/Version: Linux Status: UNCONFIRMED Keywords: download, source, testcase Severity: normal Priority: P2 Component: kernel32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
Many (all?) of today's tests http://kegel.com/wine/valgrind/logs/2009-12-07-08.39/ show the valgrind warning Use of uninitialised value of size 4 at mbstowcs_sbcs (mbtowc.c:90) by wine_cp_mbstowcs (mbtowc.c:269) by RtlMultiByteToUnicodeN (rtlstr.c:840) by RtlAnsiStringToUnicodeString (rtlstr.c:694) by FILE_name_AtoW (file.c:251) by LoadLibraryExA (module.c:911) by LoadLibraryA (module.c:964) by MODULE_LoadModule16 (ne_module.c:1114) ... Uninitialised value was created by a stack allocation at MODULE_LoadModule16 (ne_module.c:1049)
I can't reproduce this on my work machine, so perhaps the rain has driven my home machine (which posts the results automatically) bonkers?
http://bugs.winehq.org/show_bug.cgi?id=20942
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Write buffer overflow in |Read buffer overflow in |MODULE_LoadModule16() |MODULE_LoadModule16() |causing valgrind warnings |causing valgrind warnings |in all tests?? |in all tests??
--- Comment #1 from Dan Kegel dank@kegel.com 2009-12-07 19:48:36 --- Reproducible at home, and you don't even need valgrind; running with +relay,+module shows
002a:Call PE DLL (proc=0x7e907998,module=0x7e890000 L"gdi32.dll",reason=PROCESS_ATTACH,res=0x1) trace:module:LoadModule16 name gdi.exe, paramBlock 0xffffffff trace:module:load_dll looking for L"gdi.exe16" in L"Z:\home\dank\wine-git\dlls\kernel32\tests;.;C:\windows\system32;C:\windows\system;C:\windows;C:\windows\system32;C:\windows;C:\windows\system32\wbem" trace:module:get_load_order looking for L"gdi.exe16" trace:module:get_load_order got hardcoded default for L"gdi.exe16" trace:module:load_builtin_dll Trying built-in L"gdi.exe16" warn:module:load_builtin_dll cannot open .so lib for builtin L"gdi.exe16": /home/dank/wine-git/programs/gdi.exe16/gdi.exe16.so: cannot open shared object file: No such file or directory warn:module:load_dll Failed to load module L"gdi.exe16"; status=c0000135 trace:module:load_dll looking for L"?\00aa\00d1\00f7\00f4?\00fe~>" in L"Z:\home\dank\wine-git\dlls\kernel32\tests;.;C:\windows\system32;C:\windows\system;C:\windows;C:\windows\system32;C:\windows;C:\windows\system32\wbem" trace:module:get_load_order looking for L"?\00aa\00d1\00f7\00f4?\00fe~>.dll" ...
http://bugs.winehq.org/show_bug.cgi?id=20942
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #2 from Dan Kegel dank@kegel.com 2009-12-07 22:57:15 --- heh. Probably introduced by
commit 4edcf1caa52a09fffaf032a35ffd129259084096 Author: Alexandre Julliard julliard@winehq.org Date: Fri Dec 4 21:47:30 2009 +0100 gdi32: Make gdi.exe into a stand-alone 16-bit module.
In libs/wine/loader.c, wine_dll_get_owner opens the directory dlls/gdi.exe16 and tries to read from it; read returns -1, buffer is nul-terminated at offset -1 (a write underflow on a stack-allocated buffer) and hilarity ensues.
http://bugs.winehq.org/show_bug.cgi?id=20942
--- Comment #3 from Dan Kegel dank@kegel.com 2009-12-07 23:09:05 --- Patch sent, http://www.winehq.org/pipermail/wine-patches/2009-December/082397.html
http://bugs.winehq.org/show_bug.cgi?id=20942
--- Comment #4 from Alexandre Julliard julliard@winehq.org 2009-12-08 05:32:42 --- This should not happen if your tree is built properly, the 16-bit module should get loaded first.
http://bugs.winehq.org/show_bug.cgi?id=20942
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME
--- Comment #5 from Austin English austinenglish@gmail.com 2012-04-01 23:09:36 CDT --- I can't reproduce, and according to AJ, was likely user error.
http://bugs.winehq.org/show_bug.cgi?id=20942
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED CC| |adys.wh@gmail.com Resolution|WORKSFORME |INVALID
--- Comment #6 from Jerome Leclanche adys.wh@gmail.com 2012-04-05 18:14:15 CDT --- Closing
-
wine-bugs@winehq.org