This project is read-only.
1
Vote

AV in CAtlRegExp

description

include <atlbase.h>

include <atlstr.h>

include <atlrx.h>

 
int _tmain(int argc, _TCHAR* argv[])
{
// Assume an allocated memory block
char * p = (char*)::VirtualAlloc(0, 16384, MEM_COMMIT, PAGE_READWRITE);
// And the following memory page is inavailable
DWORD old;
::VirtualProtect(p + 8192, 8192, PAGE_NOACCESS, &old);
 
// A string near the end of this block
char * s = p + 8192 - 8;
// Of zero length
*s = '\0';
// Nonzero (garbage) data after it
memcpy(s + 1, "abcdefg", 7);
// The string is valid
printf("An empty string '%s'", s);
 
// But CAtlRegExp crashes
CAtlRegExp<CAtlRECharTraitsA> rx;
rx.Parse("aaaaaabbbbcccc");
CAtlREMatchContext<CAtlRECharTraitsA> ctx;
rx.Match(s, &ctx);
 
// This was seen with CString allocated by chance in the described way
// with standard memory manager being used
// So the issue may exist in many applications that use CAtlRegExp
return 0;
}

comments