Hi Jacek,
thanks, I missed the fact this is actually WINE code. I'll send the
patch there, thanks!
- Raphael
Am Sa., 2. Apr. 2022 um 15:02 Uhr schrieb Jacek Caban <ja...@codeweavers.com>:
>
> Hi Raphael,
>
> On 4/2/22 13:22, Raphael Isemann wrote:
> > The attached patch fixes an uninitialized read from memory in
> > `union_memsize`.
> >
> > The summary of how the bug happens is:
> >
> > 1. union_memsize gets called with a pointer to uninitialized `dummy`.
> > ```
> > static unsigned int write_union_tfs(FILE *file, const attr_list_t *attrs,
> > type_t *type, unsigned int *tfsoff)
> > {
> > [...]
> > unsigned int dummy;
> > [...]
> > size = union_memsize(fields, &dummy);
> > ```
> >
> > 2. `union_memsize` reads `pmaxa` (which points to dummy) to set the
> > initial value of align.
> >
> > ```
> > static unsigned int union_memsize(const var_list_t *fields, unsigned
> > int *pmaxa) {
> > unsigned int size, maxs = 0;
> > unsigned int align = *pmaxa;
> > const var_t *v;
> >
> > if (fields) LIST_FOR_EACH_ENTRY( v, fields, const var_t, entry )
> > {
> > /* we could have an empty default field with NULL type */
> > if (v->declspec.type)
> > {
> > size = type_memsize_and_alignment(v->declspec.type, &align);
> > if (maxs < size) maxs = size;
> > if (*pmaxa < align) *pmaxa = align;
> > }
> > }
> > ```
> >
> > The rest of the code in `type_memsize_and_alignment` works with that
> > unitialized alignment value. If the uninitialized memory happens to
> > represent a larger uint than the actual max size of the union, then
> > that value is printed in the result.
>
>
> Thanks for the patch. We import widl from Wine with as little changes as
> possible. Please send the patch to Wine:
>
> https://wiki.winehq.org/Submitting_Patches
>
>
> Thanks,
>
> Jacek
>
_______________________________________________
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
