http://bugs.winehq.org/show_bug.cgi?id=17076
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #1 from Anastasius Focht focht@gmx.net 2009-01-22 16:34:55 --- Hello,
stack vs. heap based buffer bug while handling inter-process window message. The spawned child process (tid=0x1d) tries to fetch dialog control text from father process (tid=0x9) using GetDlgItemTextA().
--- snip --- 0009:Call user32.CreateDialogParamA(00400000,000003e9,00000000,0040fe08,005622a8) ret=0040fb10 ... 0009:Ret user32.CreateDialogParamA() retval=0001002a ret=0040fb10 ... 0009:trace:win:WIN_CreateWindowEx "" L"Static" ex=00000004 style=50020000 180,137 299x13 parent=0x1002a menu=0x3eb inst=0x400000 params=(nil) 0009:trace:win:dump_window_styles style: WS_CHILD WS_VISIBLE WS_GROUP 0009:trace:win:dump_window_styles exstyle: WS_EX_NOPARENTNOTIFY 0009:trace:win:WIN_SetWindowLong 0x10032 -12 3eb W ... 0009:trace:win:WIN_CreateWindowEx created window 0x10032 ... 001d:Call user32.GetDlgItemTextA(0001002a,000003eb,00582a88,00000200) ret=004070c0 001d:trace:msg:WINPROC_CallProcAtoW (hwnd=0x10032,msg=WM_GETTEXT,wp=00000200,lp=00582a88) 001d:trace:msg:send_inter_thread_message hwnd 0x10032 msg d (WM_GETTEXT) wp 200 lp 33f53c 0009:Ret user32.MsgWaitForMultipleObjects() retval=00000001 ret=0042038a 0009:Call user32.PeekMessageA(0032cca8,00000000,00000000,00000000,00000001) ret=0042039f 0009:trace:msg:peek_message got type 5 msg d (WM_GETTEXT) hwnd 0x10032 wp 200 lp 33f53c 0009:Ret user32.PeekMessageA() retval=00000000 ret=0042039f 0009:Call user32.MsgWaitForMultipleObjects(00000001,0032cd24,00000000,ffffffff,000000ff) ret=0042038a 0009:Ret user32.MsgWaitForMultipleObjects() retval=00000001 ret=0042038a 0009:Call user32.PeekMessageA(0032cca8,00000000,00000000,00000000,00000001) ret=0042039f 0009:trace:msg:peek_message got type 7 msg 200 (WM_MOUSEMOVE) hwnd 0x1002a wp 0 lp 0 ... --- snip ---
When the inter-process message is handled in peek_message(), a local buffer is used first. Message type MSG_OTHER_PROCESS -> unpack_message() -> WM_GETTEXT -> get_buffer_space(). get_buffer_space() assumes the buffer is from heap which isn't in this case.
Regards