Crash in win32reg:value() for some strange values stored in windows registry

[prefiks]

I observed whole emulator crash (erl process was killed by stack overflow protection code) when win32reg:value() was called to retrieve registry key of type REG_SZ which value had length 0 (it was string value that was missing nul at end).

Crash seems to be a result of this line: https://github.com/erlang/otp/blob/master/erts/emulator/drivers/win32/registry_drv.c#L377, that tries to unconditionally strip nul character from value retrieved from registry, but with value of 0 like in my case, this lead to passing MAXINT to memcpy later, and process aborting when trying to write after stack end.

Documentation for RegQueryValueExA that is used to retrieve those values, mentions this

If the data has the REG_SZ, REG_MULTI_SZ or REG_EXPAND_SZ type, the string may not have been stored with the proper terminating null characters. Therefore, even if the function returns ERROR_SUCCESS, the application should ensure that the string is properly terminated before using it; otherwise, it may overwrite a buffer.

To Reproduce I didn't manage to find a way to put not nul terminated string in registry, so can't give a code that can be used to reproduce it, i am not sure how that value was introduced on system where this crash happens.

Expected behavior No crash.

[jhogberg]

Thanks for your report, https://github.com/jhogberg/otp/tree/john/erts/fix-win32-sz/GH-8903/OTP-19283 ought to fix it but we haven't got a Windows machine to test on at the moment. Could you try it out? :-)

[prefiks]

Yes, this fixed this problem in my tests.