Universal CRT's wcsnlen() reads past the end of the buffer. |
||||
Issue descriptionDr. Memory is reporting what looks like bugs in the new Universal CRT's implementation of wcsnlen(): In this case the buffer passed to wputenv_s is valid but wcsnlen reads beyond it. UNADDRESSABLE ACCESS beyond heap bounds: reading 0x02a662ea-0x02a662f0 6 byte(s) within 0x02a662e0-0x02a662f0 # 0 ucrtbase.dll!wcsnlen +0x160 (0x6d329500 <ucrtbase.dll+0x39500>) # 1 ucrtbase.dll!getenv_s +0x588 (0x6d3a6639 <ucrtbase.dll+0xb6639>) # 2 ucrtbase.dll!getenv_s +0x363 (0x6d3a6414 <ucrtbase.dll+0xb6414>) # 3 ucrtbase.dll!getenv_s +0x238 (0x6d3a62e9 <ucrtbase.dll+0xb62e9>) # 4 ucrtbase.dll!wputenv_s +0x28 (0x6d3a6919 <ucrtbase.dll+0xb6919>) # 5 base::`anonymous namespace'::FileUtilTest_GetTempDirTest_Test::TestBody [base\files\file_util_unittest.cc:1661] # 6 testing::internal::HandleExceptionsInMethodIfSupported<> [testing\gtest\src\gtest.cc:2458] Note: @0:02:01.110 in thread 2200 Note: next higher malloc: 0x02a66320-0x02a66340 Note: refers to 0 byte(s) beyond last valid byte in prior malloc Note: prev lower malloc: 0x02a662a0-0x02a662ea Note: instruction: movaps (%edx) -> %xmm0
,
Mar 18 2016
,
Mar 19 2016
Issue 596208 has been merged into this issue.
,
Mar 19 2016
Optimized string routines often take such steps for better performance. Dr. Memory is already avoiding false positives like this in other string routines by replacing them with simpler versions. The issue here is that wcsnlen was not being replaced with the others. Xref https://github.com/DynamoRIO/drmemory/issues/350 and https://github.com/DynamoRIO/drmemory/issues/1869.
,
Mar 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/236662f34717e607aaa942eef49853cd1be21f33 commit 236662f34717e607aaa942eef49853cd1be21f33 Author: bruening <bruening@chromium.org> Date: Sun Mar 20 04:44:32 2016 Update Dr. Memory to 1.10.16880 (0xe299f42) TBR=zhaoqin@chromium.org, oshima@chromium.org BUG= 440500 , 595792 , 594614 , 595158 NOTRY=true Review URL: https://codereview.chromium.org/1820683002 Cr-Commit-Position: refs/heads/master@{#382214} [modify] https://crrev.com/236662f34717e607aaa942eef49853cd1be21f33/third_party/drmemory/README.chromium [modify] https://crrev.com/236662f34717e607aaa942eef49853cd1be21f33/third_party/drmemory/drmemory-windows-sfx.exe.sha1
,
Mar 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/899620623be8f7b5004cea13f7da96ff7ca80c27 commit 899620623be8f7b5004cea13f7da96ff7ca80c27 Author: bruening <bruening@chromium.org> Date: Sun Mar 20 13:37:54 2016 Remove Dr. Memory suppressions and exclusions that are no longer needed. Remove the suppressions and exclusions put in place to work around Dr. Memory bugs that are now fixed. BUG= 594614 , 594618 , 594785 , 594618 , 594808 , 595158 , 595490 TBR=reillyg,oshima NOTRY=true Review URL: https://codereview.chromium.org/1817853002 Cr-Commit-Position: refs/heads/master@{#382222} [modify] https://crrev.com/899620623be8f7b5004cea13f7da96ff7ca80c27/tools/valgrind/drmemory/suppressions_full.txt [modify] https://crrev.com/899620623be8f7b5004cea13f7da96ff7ca80c27/tools/valgrind/gtest_exclude/unit_tests.gtest-drmemory_win32.txt
,
Mar 20 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by bugdroid1@chromium.org
, Mar 15 2016