In `WINMM_MapDevice` the pointer `device->orig_fmt` is casted to a WAVEFORMATEXTENSIBLE into `fmtex`, even when no additional memory got allocated, which is marked by `cbSize` being zero. Therefore ASan got triggered when `fmtex->SubFormat` gets read by `IsEqualGUID`. CC: @giomasce (I currently cannot point to a specific commit, but this may also be related to the recent changes?) [Test pattern page](https://test.winehq.org/data/patterns.html#winmm:wave) [Testbot run with this patch](https://testbot.winehq.org/JobDetails.pl?Key=162180) <details> <summary>ASan details [gitlab CI](https://gitlab.winehq.org/bernhardu/wine/-/jobs/234480#L3432)</summary> ``` ==winmm_test.exe==2348==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0144e7d8 at pc 0x7846ed21 bp 0x04d1fb98 sp 0x04d1f770 READ of size 1 at 0x0144e7d8 thread T259 #0 0x7846ed20 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:861:7 #1 0x7846ee7a in memcmp /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:880:10 #2 0x78ee26f6 in WINMM_OpenDevice /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:1142:19 #3 0x78ee0add in WOD_Open /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:1285:11 #4 0x78ee63de in WINMM_DevicesMsgProc /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2401:16 #5 0x7b13b573 in WINPROC_wrapper (C:\windows\system32\user32.dll+0x1004b573) #6 0x7b13bdf3 in call_window_proc /builds/bernhardu/wine/build64/../dlls/user32/winproc.c:111:15 #7 0x7b13beea in dispatch_win_proc_params /builds/bernhardu/wine/build64/../dlls/user32/winproc.c #8 0x7b13c807 in User32CallWinProc /builds/bernhardu/wine/build64/../dlls/user32/winproc.c:827:14 #9 0x7be1dc86 in dispatch_user_callback /builds/bernhardu/wine/build64/../dlls/ntdll/exception.c:297:18 #10 0x7be46a62 in KiUserCallbackDispatcher /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:205:23 #11 0x79d31d3b in NtUserPeekMessage (C:\windows\system32\win32u.dll+0x10011d3b) #12 0x78ee6226 in WINMM_DevicesThreadProc /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2483:16 #13 0x78486c21 in asan_thread_start(void*) /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_win.cpp:147:14 #14 0x7be4678a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc4678a) #15 0x7be470fa in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:503:9 0x0144e7d8 is located 6 bytes after 18-byte region [0x0144e7c0,0x0144e7d2) allocated by thread T259 here: #0 0x7847557b in malloc /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:87:3 #1 0x78ee20ce in WINMM_OpenDevice /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:1124:28 #2 0x78ee0add in WOD_Open /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:1285:11 #3 0x78ee63de in WINMM_DevicesMsgProc /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2401:16 #4 0x7b13b573 in WINPROC_wrapper (C:\windows\system32\user32.dll+0x1004b573) #5 0x7b13bdf3 in call_window_proc /builds/bernhardu/wine/build64/../dlls/user32/winproc.c:111:15 #6 0x7b13beea in dispatch_win_proc_params /builds/bernhardu/wine/build64/../dlls/user32/winproc.c #7 0x7b13c807 in User32CallWinProc /builds/bernhardu/wine/build64/../dlls/user32/winproc.c:827:14 #8 0x7be1dc86 in dispatch_user_callback /builds/bernhardu/wine/build64/../dlls/ntdll/exception.c:297:18 #9 0x7be46a62 in KiUserCallbackDispatcher /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:205:23 #10 0x79d31d3b in NtUserPeekMessage (C:\windows\system32\win32u.dll+0x10011d3b) #11 0x78ee6226 in WINMM_DevicesThreadProc /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2483:16 #12 0x78486c21 in asan_thread_start(void*) /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_win.cpp:147:14 #13 0x7be4678a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc4678a) #14 0x7be470fa in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:503:9 Thread T259 created by T0 here: #0 0x78486b7d in CreateThread /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_win.cpp:157:3 #1 0x78ed3dd9 in WINMM_StartDevicesThread /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2546:24 #2 0x78ed3b5c in waveOutOpen /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:2740:9 #3 0x0043d618 in wave_out_test_deviceOut /builds/bernhardu/wine/build64/../dlls/winmm/tests/wave.c:851:8 #4 0x0043ae52 in wave_out_test_device /builds/bernhardu/wine/build64/../dlls/winmm/tests/wave.c:1415:9 #5 0x00436085 in wave_out_tests /builds/bernhardu/wine/build64/../dlls/winmm/tests/wave.c:1566:9 #6 0x0043586e in func_wave /builds/bernhardu/wine/build64/../dlls/winmm/tests/wave.c:2470:5 #7 0x00443ab1 in run_test /builds/bernhardu/wine/build64/../include/wine/test.h:780:5 #8 0x0044356a in main /builds/bernhardu/wine/build64/../include/wine/test.h:900:12 #9 0x004453b5 in mainCRTStartup /builds/bernhardu/wine/build64/../dlls/msvcrt/crt_main.c:62:11 #10 0x7bcd367f in BaseThreadInitThunk (C:\windows\system32\kernel32.dll+0x7b82367f) #11 0x7be4678a in call_thread_func_wrapper (C:\windows\system32\ntdll.dll+0x7bc4678a) #12 0x7be470fa in call_thread_func /builds/bernhardu/wine/build64/../dlls/ntdll/signal_i386.c:503:9 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/bernhardu/wine/build64/../dlls/winmm/waveform.c:1142:19 in WINMM_OpenDevice ``` </details> -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10264