http://bugs.winehq.org/show_bug.cgi?id=30418
Bug #: 30418 Summary: regedit crash on export some binary values Product: Wine Version: 1.5.1 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: programs AssignedTo: wine-bugs@winehq.org ReportedBy: basinilya@gmail.com Classification: Unclassified
I have a key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\HDA Intel\Master (see attached file) and when i try to export it, regedit crashes.
The crash happens in REGPROC_write_line() when it tries to write the binary value and tells something about heap (see attached output.txt)
I checked with winedbg where exactly the heap corrupts: REGPROC_export_binary(...) { ... lstrcpyW(*line_buf + data_pos, newline); <-- here HeapFree(GetProcessHeap(), 0, value_multibyte); }
[il@il wine]$ ./wine winedbg --gdb regedit.exe ... Wine-gdb> b regproc.c:1054 Breakpoint 1 at 0x7ebc5a65: file regproc.c, line 1054. Wine-gdb> cont Continuing.
Breakpoint 1, REGPROC_export_binary (line_buf=0x33e044, line_buf_size=0x33e034, line_len=0x33df78, type=3, value=0x17e3f0 "", value_size=1848, unicode=0) at regproc.c:1054 1054 lstrcpyW(*line_buf + data_pos, newline); Wine-gdb> list 1049 data_pos += concat_len; 1050 column = concat_prefix; 1051 } 1052 } 1053 } 1054 lstrcpyW(*line_buf + data_pos, newline); 1055 HeapFree(GetProcessHeap(), 0, value_multibyte); 1056 } 1057 1058 /****************************************************************************** Wine-gdb> call HeapAlloc(GetProcessHeap(), 0, 8192) $1 = (void *) 0x182258 Wine-gdb> call HeapFree(GetProcessHeap(), 0, $) $2 = 1 Wine-gdb> n 1055 HeapFree(GetProcessHeap(), 0, value_multibyte); Wine-gdb> call HeapAlloc(GetProcessHeap(), 0, 8192)
Program received signal SIGSEGV, Segmentation fault. 0x7bc480d3 in HEAP_CreateFreeBlock (subheap=0x110014, ptr=0x184258, size=581640) at heap.c:590 590 (*(DWORD *)((char *)ptr + size) & ARENA_FLAG_FREE)) The program being debugged was signaled while in a function called from GDB. GDB remains in the frame where the signal was received. To change this behavior use "set unwindonsignal on". Evaluation of the expression containing the function (HeapAlloc) will be abandoned. When the function is done executing, GDB will silently stop.
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #1 from Ilya Basin basinilya@gmail.com 2012-04-12 06:08:55 CDT --- Created attachment 39765 --> http://bugs.winehq.org/attachment.cgi?id=39765 the key failing to export
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #2 from Ilya Basin basinilya@gmail.com 2012-04-12 06:09:35 CDT --- Created attachment 39766 --> http://bugs.winehq.org/attachment.cgi?id=39766 wine output
http://bugs.winehq.org/show_bug.cgi?id=30418
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #3 from Ilya Basin basinilya@gmail.com 2012-04-12 08:14:54 CDT --- Look at this line of code: *line_len += *line_len / (REG_FILE_HEX_LINE_LEN - concat_prefix) * concat_len;
before it, *line_len == 5561 , which is already wrong: the length of one-line "LineStates"=hex:00,00,00,... is 5560, not 5561.
Broken into multiple lines, this string takes 5932 chars: "LineStates"=hex:00,00,00,00,4d,00,61,00,73,00,74,00,65,00,72,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,...
5932-5561=371, but the existing code only adds 370.
Instead, *line_len before the formula should be 5560 and the formula should evaluate to 372, which is (nlines-1) * 5 + 2, where nlines - number of lines 5 - the length of "\\r\n " 2 - the length "\r\n"
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #4 from Ilya Basin basinilya@gmail.com 2012-04-12 09:05:05 CDT --- Created attachment 39767 --> http://bugs.winehq.org/attachment.cgi?id=39767 patch
http://bugs.winehq.org/show_bug.cgi?id=30418
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |f900ed1474b0fd05dbf0a11907d | |0bf0682fff979 Status|UNCONFIRMED |RESOLVED CC| |00cpxxx@gmail.com Resolution| |FIXED
--- Comment #5 from Bruno Jesus 00cpxxx@gmail.com 2012-04-12 16:09:49 CDT --- Patch commited. http://source.winehq.org/git/wine.git/commit/f900ed1474b0fd05dbf0a11907d0bf0...
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #6 from Ilya Basin basinilya@gmail.com 2012-04-13 00:58:06 CDT --- Actually, I don't uderstand, why all this error-prone dancing around string buffers, because at the end, buffered fwrite(FILE *) is used.
http://bugs.winehq.org/show_bug.cgi?id=30418
--- Comment #7 from Vitaliy Margolen vitaliy-bugzilla@kievinfo.com 2012-04-13 08:22:16 CDT --- (In reply to comment #6) Writing big chunks to a file always works faster compared to few bytes at a times.
http://bugs.winehq.org/show_bug.cgi?id=30418
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org 2012-04-13 13:28:09 CDT --- Closing bugs fixed in 1.5.2.
http://bugs.winehq.org/show_bug.cgi?id=30418
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |1.4.x
http://bugs.winehq.org/show_bug.cgi?id=30418
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|1.4.x |---
-
wine-bugs@winehq.org