This was the ASan output before: ``` $ ASAN_OPTIONS="allocator_may_return_null=1:halt_on_error=0:strict_memcmp=0:log_path="c:\asan_$(date +%Y-%m-%d_%H-%M-%S)_":log_exe_name=1" make dlls/wbemprox/tests/x86_64-windows/query.ok
$ cat asan_2025-02-12_23-46-45_.wbemprox_test.exe.296 ================================================================= ==wbemprox_test.exe==296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8338af4c80 at pc 0x6ffffdf98e18 bp 0x7ffffe1fec00 sp 0x7ffffe1fec48 WRITE of size 8 at 0x7f8338af4c80 thread T0 #0 0x6ffffdf98e17 in get_pnp_entities ...\wine\dlls\wbemprox\builtin.c:3313 #1 0x6ffffdf8a53c in fill_pnpentity ...\wine\dlls\wbemprox\builtin.c:3365 #2 0x6ffffdfa67f4 in exec_select_view ...\wine\dlls\wbemprox\query.c:708 #3 0x6ffffdfa60ce in execute_view ...\wine\dlls\wbemprox\query.c:746 #4 0x6ffffdfa6eba in exec_query ...\wine\dlls\wbemprox\query.c:795 #5 0x6ffffdfb4aed in create_instance_enum ...\wine\dlls\wbemprox\services.c:495 #6 0x6ffffdfb696b in wbem_services_CreateInstanceEnum ...\wine\dlls\wbemprox\services.c:687 #7 0x0001400126a4 in IWbemServices_CreateInstanceEnum ...\wine-build\build-asan-pe\64\obj\include\wbemcli.h:1396 #8 0x000140009d3a in test_Win32_PnPEntity ...\wine\dlls\wbemprox\tests\query.c:1992 #9 0x0001400014c9 in func_query ...\wine\dlls\wbemprox\tests\query.c:2493 #10 0x000140016eee in run_test+0xae (...\wine-build\build-asan-pe\64\obj\dlls\wbemprox\tests\x86_64-windows\wbemprox_test.exe+0x140016eee) #11 0x000140016a31 in main+0x471 (...\wine-build\build-asan-pe\64\obj\dlls\wbemprox\tests\x86_64-windows\wbemprox_test.exe+0x140016a31) #12 0x0001400183a3 in mainCRTStartup ...\wine\dlls\msvcrt\crt_main.c:58 #13 0x6fffffc4555e in BaseThreadInitThunk ...\wine\dlls\kernel32\thread.c:61 #14 0x6fffffdcb3da (C:\windows\system32\ntdll.dll+0x17004b3da)
0x7f8338af4c80 is located 0 bytes after 768-byte region [0x7f8338af4980,0x7f8338af4c80) allocated by thread T0 here: #0 0x6ffffe5f4711 in malloc+0x81 (C:\windows\system32\libclang_rt.asan_dynamic-x86_64.dll+0x180044711) #1 0x6ffffdf9845e in get_pnp_entities ...\wine\dlls\wbemprox\builtin.c:3295 #2 0x6ffffdf8a53c in fill_pnpentity ...\wine\dlls\wbemprox\builtin.c:3365 #3 0x6ffffdfa67f4 in exec_select_view ...\wine\dlls\wbemprox\query.c:708 #4 0x6ffffdfa60ce in execute_view ...\wine\dlls\wbemprox\query.c:746 #5 0x6ffffdfa6eba in exec_query ...\wine\dlls\wbemprox\query.c:795 #6 0x6ffffdfb4aed in create_instance_enum ...\wine\dlls\wbemprox\services.c:495 #7 0x6ffffdfb696b in wbem_services_CreateInstanceEnum ...\wine\dlls\wbemprox\services.c:687 #8 0x0001400126a4 in IWbemServices_CreateInstanceEnum ...\wine-build\build-asan-pe\64\obj\include\wbemcli.h:1396 #9 0x000140009d3a in test_Win32_PnPEntity ...\wine\dlls\wbemprox\tests\query.c:1992 #10 0x0001400014c9 in func_query ...\wine\dlls\wbemprox\tests\query.c:2493 #11 0x000140016eee in run_test+0xae (...\wine-build\build-asan-pe\64\obj\dlls\wbemprox\tests\x86_64-windows\wbemprox_test.exe+0x140016eee) #12 0x000140016a31 in main+0x471 (...\wine-build\build-asan-pe\64\obj\dlls\wbemprox\tests\x86_64-windows\wbemprox_test.exe+0x140016a31) #13 0x0001400183a3 in mainCRTStartup ...\wine\dlls\msvcrt\crt_main.c:58 #14 0x6fffffc4555e in BaseThreadInitThunk ...\wine\dlls\kernel32\thread.c:61 #15 0x6fffffdcb3da (C:\windows\system32\ntdll.dll+0x17004b3da)
SUMMARY: AddressSanitizer: heap-buffer-overflow ...\wine\dlls\wbemprox\builtin.c:3313 in get_pnp_entities Shadow bytes around the buggy address: 0x7f8338af4a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f8338af4a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f8338af4b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f8338af4b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f8338af4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7f8338af4c80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7f8338af4d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7f8338af4d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7f8338af4e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7f8338af4e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7f8338af4f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==wbemprox_test.exe==296==ABORTING ```
From: Bernhard Übelacker bernhardu@mailbox.org
--- dlls/wbemprox/builtin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/wbemprox/builtin.c b/dlls/wbemprox/builtin.c index 04b260e8918..75f1475d11a 100644 --- a/dlls/wbemprox/builtin.c +++ b/dlls/wbemprox/builtin.c @@ -3317,7 +3317,7 @@ static struct record_pnpentity *get_pnp_entities( UINT *count ) ret[i].name = get_reg_value( key_instance, L"DeviceDesc" ); ret[i].service = get_reg_value( key_instance, L"Service" ); RegCloseKey( key_instance ); - if (++i > nb_allocated) + if (++i >= nb_allocated) { nb_allocated *= 2; if ((tmp = realloc( ret, nb_allocated * sizeof(*ret) ))) ret = tmp;
This merge request was approved by Hans Leidekker.
Hello, just for information, a bug mentions the very same line: https://bugs.winehq.org/show_bug.cgi?id=57830
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)
-
Hans Leidekker (@hans)