[jira] [Commented] (XERCESC-2179) access violation in win32transservice.cpp with 64 bit compile

Mon, 04 Nov 2019 05:23:59 -0800 


    [ 
https://issues.apache.org/jira/browse/XERCESC-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16966649#comment-16966649
 ] 

Alberto Massari commented on XERCESC-2179:
------------------------------------------

Don't get me wrong, I'm not questioning the size of the data. I am saying that 
the code

 

unsigned long theSize;

and

DWORD theSize;

are identical, and calling RegQueryValueExA using &theSize is still creating 
the correct 64 bit pointer to a variable of the expected size.

 

As for adding the the +1, it would make a difference only when attempting to 
read a string from the registry that is exaclty 1024 characters long. In that 
case, by invoking the API with a value of 1024 (even if the buffer has been 
allocated with a storage for 1025 bytes), we would get a ERROR_MORE_DATA 
instead of a ERROR_SUCCESS. No memory overrun, just a failure to load that 
registry entry (but there should be no encoding with a name so big).

When the registry key is a number, the space for the NULL terminator is not 
added ("If the data has the REG_SZ, REG_MULTI_SZ or REG_EXPAND_SZ type, this 
size includes any terminating *null* character or characters unless the data 
was stored without them")

> access violation in win32transservice.cpp with 64 bit compile
> -------------------------------------------------------------
>
>                 Key: XERCESC-2179
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2179
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: DOM
>    Affects Versions: 3.2.2
>            Reporter: martin goodall
>            Assignee: Alberto Massari
>            Priority: Blocker
>             Fix For: 3.2.3
>
>         Attachments: Win32TransService.cpp
>
>
> calls to ::Reg... to get registry info are passing in stack variables that 
> are 8 bytes long into functions that overwrite 16 bytes, causing memory 
> overwrite and very random segs.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to