[Bug 31723] New: Heap corruption crash on exit from notepad under WINEDEBUG=warn+heap

http://bugs.winehq.org/show_bug.cgi?id=31723

Bug #: 31723 Summary: Heap corruption crash on exit from notepad under WINEDEBUG=warn+heap Product: Wine Version: 1.5.12 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: user32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified

Found while looking at bug 31353.

In wine-1.5.13, if I do echo x > foo.txt WINEDEBUG=warn+heap wine notepad foo.txt and then exit notepad, it crashes with the following stack trace:

Unhandled exception: page fault on read access to 0xfeeefef6 in 32-bit code (0x7db24356). Backtrace: =>0 ScriptStringFree+0x36(pssa=0x161bcc) [dlls/usp10/usp10.c:2320] 1 EditWndProc_common+0x1119(hwnd=<?>, msg=<?>, wParam=<?>, lParam=<?>, unicode=<?>) [dlls/user32/edit.c:375] 2 EditWndProcW+0x3a(hwnd=0x10076, msg=0x82, wParam=0, lParam=0) [dlls/user32/winproc.c:1081]

'winetricks usp10' does not work around it.

wine-1.4 does not have the problem.

git log on edit.c shows the most recent commit is

user32: Release uniscribe data on Edit control destruction (valgrind). author Nikolay Sivov nsivov@codeweavers.com Tue, 4 Sep 2012 19:06:17 +0000 (23:06 +0400) commit 6b1946154831c4537b9fffc4994cb0273db55918 user32: Release uniscribe data on Edit control destruction (valgrind).

Reverting that gets rid of the crash.