[PATCH 0/4] MR1956: ole32: Fix several heap mismatches / double free.

newer
[PATCH 0/2] MR1940: Cryptnet ocsp...

older
[PATCH 0/1] MR1958: ntdll/tests:...

Rémi Bernon

13 Jan 2023 13 Jan '23

7:36 a.m.

These can be reproduced when running many of the tests, including but not only, the ole32 tests. I tried to keep the changes minimal to fix the failing tests, hopefully it should cover all the mismatches (though I'm a bit worried about the apparent dependency with combase, which has been changed to use msvcrt heap). -- https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

Show replies by date

Rémi Bernon

13 Jan 13 Jan

7:36 a.m.

New subject: [PATCH 1/4] ole32: Use CRT allocation for MIDL_user_(allocate/free).

From: Rémi Bernon <rbernon(a)codeweavers.com> To match combase allocations, as for instance we're freeing pointers returned from InternalIrotRevoke, which are allocated using combase MIDL_user_allocate. --- dlls/ole32/moniker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/ole32/moniker.c b/dlls/ole32/moniker.c index 09266a33aba..be6150bc7b6 100644 --- a/dlls/ole32/moniker.c +++ b/dlls/ole32/moniker.c @@ -1363,10 +1363,10 @@ HRESULT MonikerMarshal_Create(IMoniker *inner, IUnknown **outer) void * __RPC_USER MIDL_user_allocate(SIZE_T size) { - return HeapAlloc(GetProcessHeap(), 0, size); + return malloc(size); } void __RPC_USER MIDL_user_free(void *p) { - HeapFree(GetProcessHeap(), 0, p); + free(p); } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

Rémi Bernon

7:36 a.m.

New subject: [PATCH 2/4] ole32: Allocate IEnumSTATDATA data with the process heap.

From: Rémi Bernon <rbernon(a)codeweavers.com> It will later be freed in EnumSTATDATA_Release with HeapFree, and the copy code path may allocate the member with HeapAlloc. --- dlls/ole32/datacache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/ole32/datacache.c b/dlls/ole32/datacache.c index e6cea25aca6..b3216992af5 100644 --- a/dlls/ole32/datacache.c +++ b/dlls/ole32/datacache.c @@ -2527,7 +2527,7 @@ static HRESULT WINAPI DataCache_EnumCache(IOleCache2 *iface, count++; } - data = CoTaskMemAlloc( count * sizeof(*data) ); + data = HeapAlloc( GetProcessHeap(), 0, count * sizeof(*data) ); if (!data) return E_OUTOFMEMORY; LIST_FOR_EACH_ENTRY( cache_entry, &This->cache_list, DataCacheEntry, entry ) @@ -2559,7 +2559,7 @@ static HRESULT WINAPI DataCache_EnumCache(IOleCache2 *iface, fail: while (i--) CoTaskMemFree( data[i].formatetc.ptd ); - CoTaskMemFree( data ); + HeapFree( GetProcessHeap(), 0, data ); return hr; } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

Rémi Bernon

7:36 a.m.

New subject: [PATCH 3/4] ole32: Reset IMoniker data pointer to NULL on failure.

From: Rémi Bernon <rbernon(a)codeweavers.com> To avoid double free when the caller releases the object. --- dlls/ole32/moniker.c | 1 + 1 file changed, 1 insertion(+) diff --git a/dlls/ole32/moniker.c b/dlls/ole32/moniker.c index be6150bc7b6..f98b21bdf2b 100644 --- a/dlls/ole32/moniker.c +++ b/dlls/ole32/moniker.c @@ -161,6 +161,7 @@ static HRESULT get_moniker_comparison_data(IMoniker *pMoniker, MonikerComparison { ERR("Failed to copy comparison data into buffer, hr = %#lx\n", hr); HeapFree(GetProcessHeap(), 0, *moniker_data); + *moniker_data = NULL; return hr; } (*moniker_data)->ulCntData = size; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

Rémi Bernon

7:36 a.m.

New subject: [PATCH 4/4] ole32: Allocate and free moniker lists with CRT allocations.

From: Rémi Bernon <rbernon(a)codeweavers.com> The RunningObjectTableImpl_EnumRunning codepath returns a list allocated from combase MIDL_user_allocate, which uses msvcrt heap. --- dlls/ole32/moniker.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dlls/ole32/moniker.c b/dlls/ole32/moniker.c index f98b21bdf2b..ec026758b2f 100644 --- a/dlls/ole32/moniker.c +++ b/dlls/ole32/moniker.c @@ -1033,8 +1033,8 @@ static ULONG WINAPI EnumMonikerImpl_Release(IEnumMoniker* iface) TRACE("(%p) Deleting\n",This); for (i = 0; i < This->moniker_list->size; i++) - HeapFree(GetProcessHeap(), 0, This->moniker_list->interfaces[i]); - HeapFree(GetProcessHeap(), 0, This->moniker_list); + free(This->moniker_list->interfaces[i]); + free(This->moniker_list); HeapFree(GetProcessHeap(), 0, This); } @@ -1119,7 +1119,7 @@ static HRESULT WINAPI EnumMonikerImpl_Clone(IEnumMoniker* iface, IEnumMoniker *ppenum = NULL; - moniker_list = HeapAlloc(GetProcessHeap(), 0, FIELD_OFFSET(InterfaceList, interfaces[This->moniker_list->size])); + moniker_list = malloc(FIELD_OFFSET(InterfaceList, interfaces[This->moniker_list->size])); if (!moniker_list) return E_OUTOFMEMORY; @@ -1127,13 +1127,13 @@ static HRESULT WINAPI EnumMonikerImpl_Clone(IEnumMoniker* iface, IEnumMoniker for (i = 0; i < This->moniker_list->size; i++) { SIZE_T size = FIELD_OFFSET(InterfaceData, abData[This->moniker_list->interfaces[i]->ulCntData]); - moniker_list->interfaces[i] = HeapAlloc(GetProcessHeap(), 0, size); + moniker_list->interfaces[i] = malloc(size); if (!moniker_list->interfaces[i]) { ULONG end = i; for (i = 0; i < end; i++) - HeapFree(GetProcessHeap(), 0, moniker_list->interfaces[i]); - HeapFree(GetProcessHeap(), 0, moniker_list); + free(moniker_list->interfaces[i]); + free(moniker_list); return E_OUTOFMEMORY; } memcpy(moniker_list->interfaces[i], This->moniker_list->interfaces[i], size); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

Huw Davies (＠huw)

9:19 a.m.

New subject: [PATCH 0/4] MR1956: ole32: Fix several heap mismatches / double free. - approved

This merge request was approved by Huw Davies. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/1956

1147

Age (days ago)

1147

Last active (days ago)

List overview

Download

5 comments

2 participants

participants (2)

Huw Davies (＠huw)
Rémi Bernon