Jinoh Kang (@iamahuman) commented about dlls/win32u/winstation.c:
+{ + struct shared_session *session; + BOOL valid = TRUE; + + TRACE( "tid %04x, type %u\n", tid, type ); + + memset( info, 0, sizeof(*info) ); + info->index = -1; + + while ((session = get_shared_session( !valid ))) + { + info->session_id = session->id; + if ((info->index = get_thread_session_object_index( tid, type, &info->id )) == -1) break; + if ((valid = info->index < session->object_capacity)) break; + shared_session_release( session ); + } We have an out-of-bounds `info->index` left here. If the next iteration's `get_shared_session()` fails, we won't be able to detect this condition; instead, we will return the invalid index (as well as a NULL session) as-is to the caller.
To avoid this, ensure `info->index` is set to the sentinel when the while condition fails... ```suggestion:-1+0 shared_session_release( session ); info->index = -1; } ``` -- https://gitlab.winehq.org/wine/wine/-/merge_requests/3103#note_63374