Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-9739

xmllite: Reading outside of buffer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • Wine
    • None

    Description

      readerinput_get_utf8_convlen (dll/win32/xmllite/reader.c:741):

      buffer->written is sometimes 0 so buffer->data[len-1] end up reading before the buffer. The function may then return either 0 or a negative number.

      Discovered this with the wine test xmllite:reader with dph enabled. The test causes an access violation:

      ChildEBP RetAddr  
      0012fd38 7059288b msvcrt!memmove+0x3d
      		 
      0012fd50 70592be0 xmllite!readerinput_shrinkraw(struct xmlreaderinput * readerinput = 0x00479fd8, int len = 0n-1)+0x4b [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 783]
      		 
      0012fd80 70592c46 xmllite!reader_more(struct xmlreader * reader = 0x0045af70)+0x130 [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 873]
      		 
      0012fd94 7059464d xmllite!reader_get_ptr(struct xmlreader * reader = 0x0045af70)+0x36 [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 887]
      		 
      0012fdac 70596376 xmllite!reader_parse_misc(struct xmlreader * reader = 0x0045af70)+0xed [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 1509]
      		 
      0012fdc4 70596c56 xmllite!reader_parse_nextnode(struct xmlreader * reader = 0x0045af70)+0x156 [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 2350]
      		 
      0012fddc 70597373 xmllite!xmlreader_Read(struct IXmlReader * iface = 0x0045af70, XmlNodeType * nodetype = 0x0012fdec)+0x86 [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 2571]
      		 
      0012fe00 00404c70 xmllite!xmlreader_GetValue(struct IXmlReader * iface = 0x0045af70, wchar_t ** value = 0x0012fe5c, unsigned int * len = 0x0012fe60)+0xb3 [d:\reactos\reactos\dll\win32\xmllite\reader.c @ 2710]
      		 
      0012fe70 00408d3c xmllite_winetest!test_read_comment(void)+0x4b0 [d:\reactos\reactos\modules\rostests\winetests\xmllite\reader.c @ 940]
      		 
      0012fe78 0040cc9c xmllite_winetest!func_reader(void)+0x2c [d:\reactos\reactos\modules\rostests\winetests\xmllite\reader.c @ 1797]
      		 
      0012fe90 0040cf1a xmllite_winetest!run_test(char * name = 0x00465ff8 "reader")+0x8c [d:\reactos\reactos\include\reactos\wine\test.h @ 636]
      		 
      0012ff1c 0040d45a xmllite_winetest!main(int argc = 0n2, char ** argv = 0x00462ff8)+0x18a [d:\reactos\reactos\include\reactos\wine\test.h @ 683]
      		 
      0012ffb4 0040d4ef xmllite_winetest!__tmainCRTStartup(void)+0x25a [d:\reactos\reactos\lib\sdk\crt\startup\crtexe.c @ 310]
      		 
      0012ffc0 77d8f577 xmllite_winetest!mainCRTStartup(void)+0x1f [d:\reactos\reactos\lib\sdk\crt\startup\crtexe.c @ 196]
      		 
      0012fff0 00000000 kernel32!BaseProcessStartup(<function> * lpStartAddress = 0x0040d4d0)+0x57 [d:\reactos\reactos\dll\win32\kernel32\client\proc.c @ 478]

      memmove is called with count=-1 (return value of readerinput_get_utf8_convlen)
      With dph disabled, count=0 so there is no access violation.

      CC'ing thfabba?

      Attachments

        Activity

          People

            bug zilla Bug Zilla
            alvinhochun Alvin Wong
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: