http://bugs.winehq.org/show_bug.cgi?id=20758

Summary: Missing nul termination in string passed to callback of RtlQueryRegistryValues()? Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: source, testcase Severity: normal Priority: P2 Component: ntdll AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com

http://kegel.com/wine/valgrind/logs/2009-11-18-21.51/vg-ntdll_reg.txt shows the error message

Invalid read of size 2 at strlenW (unicode.h:216) by lstrlenW (string.c:214) by QueryRoutine (reg.c:201) by RTL_ReportRegistryValue (reg.c:992) by RtlQueryRegistryValues (reg.c:1231) by test_RtlQueryRegistryValues (reg.c:326) Address 0x7f03c184 is 0 bytes after a block of size 52 alloc'd at notify_alloc (heap.c:279) by RtlAllocateHeap (heap.c:1521) by RtlQueryRegistryValues (reg.c:1226) by test_RtlQueryRegistryValues (reg.c:326)

It looks like an argument between len and null-terminated strings. RtlQueryRegistryValues calls a user-supplied callback whose first parameter is to a nul-terminated string... but it passes pInfo->Name, which is not nul-terminated. (It comes from NtEnumerateValueKey, and has a corresponding NameLength member.)

So... either we need to copy Name to a new buffer and terminate it before calling the callback, or NtEnumerateValueKey needs to silently nul-terminate Name. I guess it's time for another conformance test.

(This error was seen before by Valgrind, but with a slightly less informative description.)