Skip to content

gh-142282 Fix winreg_QueryValueEx_impl to use retSize #142283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
youknowone wants to merge 2 commits into
base: main
Choose a base branch
from
Open

gh-142282 Fix winreg_QueryValueEx_impl to use retSize #142283

youknowone wants to merge 2 commits into from

Conversation

@youknowone
Copy link
Contributor

@youknowone youknowone commented Dec 5, 2025
edited by bedevere-app bot
Loading

@youknowone
pythongh-142282 Fix winreg_QueryValueEx_impl to use retSize
fb434ba 
retSize was ignored
bufSize is the size of buffer including uninitializd buffers.
@youknowone youknowone requested a review from a team as a code owner December 5, 2025 07:41
@bedevere-app bedevere-app bot mentioned this pull request Dec 5, 2025
Open
sergey-miryanov
sergey-miryanov reviewed Dec 5, 2025
View reviewed changes
PC/winreg.c
"RegQueryValueEx");
}
obData = Reg2Py(retBuf, bufSize, typ);
obData = Reg2Py(retBuf, retSize, typ);
Copy link
Contributor

@sergey-miryanov sergey-miryanov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure it is safe change according to the warning from the documentation:

If the value being queried is a string (REG_SZ, REG_MULTI_SZ, and REG_EXPAND_SZ) the value returned is NOT guaranteed to be null-terminated.

https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexw

Copy link
Contributor Author

@youknowone youknowone Dec 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it even better to use retSize in that case because retSize is the actual size of returned value and bufSize is not?
If the value is not guaranteed to be null-terminated, Reg2Py is able to actually access to the garbage memory beyond retSize

Copy link
Contributor

@sergey-miryanov sergey-miryanov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, you are right - it will work properly. Moreover, I checked Reg2Py and for REG_BINARY your fix will be work better than before.

Copy link
Contributor

@sergey-miryanov sergey-miryanov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then I would suggest adding a news entry.

serhiy-storchaka
serhiy-storchaka reviewed Dec 5, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current code works in most cases, because the size of the buffer is determined by the previous call of RegQueryValueExW(). But this will not work in case of race condition, when the value was change between the RegQueryValueExW() calls. Please mention race condition in the NEWS entry.

It would also be nice to add tests. Try to write different values (perhaps b'ham' and b'spam' would be enough) in one thread while simultaneously reading them in other thread and checking the the result is one of possible written value. If it fails with unpatched code and passes with patched code, then we have a working test. If this does not work, try something other. In worst case, if it is too difficult to reproduce the bug, we can accept the fix without working test.

@youknowone
Copy link
Contributor Author

youknowone commented Dec 5, 2025

@serhiy-storchaka Isn't it also possible when rc == ERROR_MORE_DATA hits? That will be easier to check. Unfortunately I know barely nothing about windows api. How it will be?

@serhiy-storchaka
Copy link
Member

serhiy-storchaka commented Dec 5, 2025

I think that rc == ERROR_MORE_DATA only hits when there is a race condition. So, the code was already written to handle race condition, it just contains a bug, but since this was not tested, it was not discovered until your report.

aisk
aisk reviewed Dec 5, 2025
View reviewed changes
Misc/NEWS.d/next/Core_and_Builtins/2025-12-05-18-26-50.gh-issue-142282.g6RQUN.rst
@@ -0,0 +1 @@
Fix winreg.QueryValueEx not to accidently read garbage buffer
Copy link
Contributor

@aisk aisk Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Fix winreg.QueryValueEx not to accidently read garbage buffer
Fix :func:`winreg.QueryValueEx` to not accidentally read garbage buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergey-miryanov sergey-miryanov sergey-miryanov left review comments

@aisk aisk aisk left review comments

@serhiy-storchaka serhiy-storchaka serhiy-storchaka left review comments

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@youknowone @serhiy-storchaka @sergey-miryanov @aisk