https://bugs.winehq.org/show_bug.cgi?id=54564
Jinoh Kang jinoh.kang.kr@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |586e31a1e6e524e593897285a82 | |b90a08303db33
--- Comment #1 from Jinoh Kang jinoh.kang.kr@gmail.com --- The following diagnosis has been performed based on Wine commit 15b176b4f4945d7abfb4adbddc7f140ba1765855.
Symptom:
As of Wine 8.2 (but going as far back as 5.20), ME_MoveCursorWords can produce an invalid cursor which eventually causes NULL pointer dereference in the same function via user trigger.
Background:
- A ME_Cursor instance represents a specific position inside the rich text document being edited. A valid ME_Cursor maintains the invariant that `pRun` is a child of of `pPara`.
- ME_MoveCursorWords is a function that implements cursor motion in "word units." As part of its implicit contract, it should produce a valid ME_Cursor via the `cursor` output parameter.
Diagnosis:
- ME_MoveCursorWords violates the contract w.r.t the `cursor` output parameter in the "forward movement" case.
- When `other_run` is NULL, ME_MoveCursorWords re-assigns the `para` variable but leaves `run` as-is. This re-assignment makes `run` stale (semantically), and disrupts the previously established invariant that `run` should be a child of `para`. The `run` and `para` values are latter copied to `cursor->pRun` and `cursor->pPara`, causing the contract violation.
- This is a regression. The first revision that introduces this breakage is commit 586e31a1e6e524e593897285a82b90a08303db33.