https://bugs.winehq.org/show_bug.cgi?id=54564 Jinoh Kang <jinoh.kang.kr(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |586e31a1e6e524e593897285a82 | |b90a08303db33 --- Comment #1 from Jinoh Kang <jinoh.kang.kr(a)gmail.com> --- The following diagnosis has been performed based on Wine commit 15b176b4f4945d7abfb4adbddc7f140ba1765855. Symptom: As of Wine 8.2 (but going as far back as 5.20), ME_MoveCursorWords can produce an invalid cursor which eventually causes NULL pointer dereference in the same function via user trigger. Background: - A ME_Cursor instance represents a specific position inside the rich text document being edited. A valid ME_Cursor maintains the invariant that `pRun` is a child of of `pPara`. - ME_MoveCursorWords is a function that implements cursor motion in "word units." As part of its implicit contract, it should produce a valid ME_Cursor via the `cursor` output parameter. Diagnosis: - ME_MoveCursorWords violates the contract w.r.t the `cursor` output parameter in the "forward movement" case. - When `other_run` is NULL, ME_MoveCursorWords re-assigns the `para` variable but leaves `run` as-is. This re-assignment makes `run` stale (semantically), and disrupts the previously established invariant that `run` should be a child of `para`. The `run` and `para` values are latter copied to `cursor->pRun` and `cursor->pPara`, causing the contract violation. - This is a regression. The first revision that introduces this breakage is commit 586e31a1e6e524e593897285a82b90a08303db33. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.