WinHex 12.05 SR-14 (maybe others)

author: Darkeagle 
date  : 14.04.05
vendor: http://www.x-ways.net/

overview:

WinHex is a powerfully hex editor in win32 systems.

details:

I'mma found heap corruption bug in latest version of WinHex (12.05).
When WinHex opens very long filename in 1st argument, it's crashed.

Look at below code:

...
XOR EAX,EAX
MOV BL,BYTE PTR DS:[EDX+EAX]
MOV BYTE PTR DS:[ECX+EAX],BL
INC EAX
CMP BYTE PTR DS:[EDX+EAX-1],0
...

PUSH EDX                                 ; argv2 <-- put arguments in stack registers ----|
PUSH EAX                                 ; argv1 <----------------------------------------
CALL <JMP.&kernel32.lstrcpynA>           ; lstrcpynA   <---- using strcpy() without checking...

There is bug. After crash in debugger you can notice that following registers were overwrote:

DS  = 0x61616161?
ECX = 0x61616161?
ESI = 0x61616161?

EIP now point to: 0x004EF55B ( WinXP SP0 RUS )

004EF55B  |. 881C01         |MOV BYTE PTR DS:[ECX+EAX],BL

Ok! This is means that 0x004EF55B trying to read instruction on 0x61616161 address and then crash.

(c) Darkeagle