[Bug 57929] New: Illegal pointer may be dereferenced
https://bugs.winehq.org/show_bug.cgi?id=57929 Bug ID: 57929 Summary: Illegal pointer may be dereferenced Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: win32u Assignee: wine-bugs(a)winehq.org Reporter: 1367173408(a)qq.com Distribution: --- Created attachment 78182 --> https://bugs.winehq.org/attachment.cgi?id=78182 execution trace I have found a risk that an illegal pointer may be dereferenced. At line 119 in file `dlls/win32u/ntgdi_private.h`, the function `pop_dc_driver` may return NULL. At line 750 in file `dlls/win32u/path.c`, the return value of `pop_dc_driver`, which may be NULL, is used as a real argument of call for `pDeleteDC` (`pathdrv_DeleteDC`). Then, as shown by step 3 and 4 in the attached image, a illegal address may be returned by function `get_path_physdev`, because `dev` is NULL value (0) and `offsetof(type, field)` is subtracted from it. Finally, as shown by step 5, the illegal pointer may be dereferenced, which may cause unexpected application behavior or crashes. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=57929 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED --- Comment #1 from Alexandre Julliard <julliard(a)winehq.org> --- That can't happen, we know that there's a driver at that point. Please don't file a bug for every static analyzer false positive, there are too many of them. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=57929 --- Comment #2 from 1367173408(a)qq.com --- Thank you for your patience! But I noticed that there are five callsites of the function `pop_dc_driver`, two of which check if its return value is NULL(line 819 in file `dlls/win32u/path.c` and line 800 in file `dlls/win32u/dibdrv/dc.c`). So I am confused that why is the return value of the callsite mentioned in my report guaranteed to be non-null?(In reply to Alexandre Julliard from comment #1)
That can't happen, we know that there's a driver at that point.
Please don't file a bug for every static analyzer false positive, there are too many of them.
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=57929 --- Comment #3 from Alexandre Julliard <julliard(a)winehq.org> --- In some cases we know that there's a driver already, in other cases it's possible that there isn't one. It depends on what the function is doing and where it's called from. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=57929 Ken Sharp <imwellcushtymelike(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Ken Sharp <imwellcushtymelike(a)gmail.com> --- Closing bugs marked as invalid. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla