[Bug 54564] New: Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph
https://bugs.winehq.org/show_bug.cgi?id=54564 Bug ID: 54564 Summary: Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph Product: Wine Version: 8.2 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: richedit Assignee: wine-bugs(a)winehq.org Reporter: jinoh.kang.kr(a)gmail.com CC: huw(a)codeweavers.com Distribution: --- Rich Edit crashes with NULL dereference when Ctrl+Right is pressed at past the final paragraph. Steps to reproduce: 1. Open Wordpad. 2. Press "A". 3. Press Home or Left. 4. Press Ctrl+Right. 5. Press Ctrl+Right. Expected behaviour: Wine doesn't crash. Actual behaviour: Wine crashes inside `para_next`, because `ME_MoveCursorWords` tries to fetch `next_para` of NULL paragraph pointer. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Jinoh Kang <jinoh.kang.kr(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |586e31a1e6e524e593897285a82 | |b90a08303db33 --- Comment #1 from Jinoh Kang <jinoh.kang.kr(a)gmail.com> --- The following diagnosis has been performed based on Wine commit 15b176b4f4945d7abfb4adbddc7f140ba1765855. Symptom: As of Wine 8.2 (but going as far back as 5.20), ME_MoveCursorWords can produce an invalid cursor which eventually causes NULL pointer dereference in the same function via user trigger. Background: - A ME_Cursor instance represents a specific position inside the rich text document being edited. A valid ME_Cursor maintains the invariant that `pRun` is a child of of `pPara`. - ME_MoveCursorWords is a function that implements cursor motion in "word units." As part of its implicit contract, it should produce a valid ME_Cursor via the `cursor` output parameter. Diagnosis: - ME_MoveCursorWords violates the contract w.r.t the `cursor` output parameter in the "forward movement" case. - When `other_run` is NULL, ME_MoveCursorWords re-assigns the `para` variable but leaves `run` as-is. This re-assignment makes `run` stale (semantically), and disrupts the previously established invariant that `run` should be a child of `para`. The `run` and `para` values are latter copied to `cursor->pRun` and `cursor->pPara`, causing the contract violation. - This is a regression. The first revision that introduces this breakage is commit 586e31a1e6e524e593897285a82b90a08303db33. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Jinoh Kang <jinoh.kang.kr(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression, source --- Comment #2 from Jinoh Kang <jinoh.kang.kr(a)gmail.com> --- Another symptom of this issue is that the cursor may "float around" if pressing Ctrl+Right while the cursor was at the end of the paragraph, since pPara points to the next paragraph but pRun points to a run in the first paragraph. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Jinoh Kang <jinoh.kang.kr(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |7e28fa5c558f1417f8f033cb843 | |424778bbfb8b8 Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #3 from Jinoh Kang <jinoh.kang.kr(a)gmail.com> --- Fixed in 7e28fa5c558f1417f8f033cb843424778bbfb8b8. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 8.3. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |8.0.x -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54564 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|8.0.x |--- --- Comment #5 from Michael Stefaniuc <mstefani(a)winehq.org> --- Removing the 8.0.x milestone from bug fixes included in 8.0.1. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla