Michael Jung mjung@iss.tu-darmstadt.de writes:
this is a resubmit of a simple patch I've sent yesterday, but which was not applied to cvs. I would like to give some detail on it: There is a section of code labeled "error:" at the end of CryptAcquireContext, which releases occupied resources in the case of an error. Amongst others, the allocated memory pointed to by "keyname" is released. However, in some cases keyname is released twice, once in the normal code and once in the error cleanup code. CRYPT_Free uses LocalFree, which returns "NULL" if the memory was successfully released. And it does basically nothing if it is called with a "NULL" pointer. This means that by executing "keyname = (PSTR)CRYPT_Free(keyname)" the second call to CRYPT_Free does basically nothing, which is better than corrupting the heap ;)
The patch is OK, but it would be better to really avoid calling CRYPT_Free twice, and also to fix all the other places in that function that have the same problem.
Alexandre Julliard writes:
Michael Jung mjung@iss.tu-darmstadt.de writes:
this is a resubmit of a simple patch I've sent yesterday, but which was not applied to cvs. I would like to give some detail on it: There is a section of code labeled "error:" at the end of CryptAcquireContext, which releases occupied resources in the case of an error. Amongst others, the allocated memory pointed to by "keyname" is released. However, in some cases keyname is released twice, once in the normal code and once in the error cleanup code. CRYPT_Free uses LocalFree, which returns "NULL" if the memory was successfully released. And it does basically nothing if it is called with a "NULL" pointer. This means that by executing "keyname = (PSTR)CRYPT_Free(keyname)" the second call to CRYPT_Free does basically nothing, which is better than corrupting the heap ;)
The patch is OK, but it would be better to really avoid calling CRYPT_Free twice, and also to fix all the other places in that function that have the same problem.
I'm currently working on an implementation of rsabase.dll. This heap corruption bug crashes some of my test programs. At the moment I would rather work on rsabase.dll than on advapi32.dll. If you apply my quick and dirty patch, I promise to look into CryptAcquireContext some time later ;)
Greetings, Michael
-
Alexandre Julliard -
Michael Jung