https://bugs.winehq.org/show_bug.cgi?id=38924
Damjan Jovanovic damjan.jov@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll
--- Comment #10 from Damjan Jovanovic damjan.jov@gmail.com --- The chain of events looks something like this:
1.0 DnDShapeDropTarget::OnData() [application] 2.0 wxDropTarget::GetData() 3.0 wxIDataObject::GetData() 4.0 wxIDataObject::GetDataHere() 5.0 DnDShapeDataObject::GetDataHere() [application] 6.0 DnDShape::GetDataHere() [application] 3.1 wxIDataObject::SetData() 7.0 pBuf = GetSizeFromBuffer(pBuf, size, format) 8.0 wxDataObject::GetSizeFromBuffer(pbuf, size, format) 9.0 ::HeapSize(::GetProcessHeap(), 0, pBuf); 7.1 DnDShapeDataObject::SetData(pBuf) [application]
In step 9.0 wxWidgets tries to determine the size of a memory area using HeapSize(). HeapSize() fails with GetLastError()=87 (ERROR_INVALID_PARAMETER). Step 8.0 wxDataObject::GetSizeFromBuffer() thus returns NULL, setting pBuf to NULL. The application's DnDShapeDataObject::SetData() in 7.1 thus receives a NULL pointer. The application tries to access the NULL pointer -> crash.
Why does HeapSize() fail? It's called on pBuf. What does pBuf point to? const void *pBuf = GlobalLock(pmedium->hGlobal); So pBuf actually points to global memory, not GetProcessHeap() heap memory.
Using HeapSize() on memory returned from GlobalLock() apparently works on Windows, but fails on Wine and causes the crash.
If I patch wxWidgets to call GlobalSize() instead of HeapSize(), the drag and drop no longer crashes. However wxWidgets dates back to 1992, we can't patch 27 years worth of wxWidgets applications out in the field, especially those that have linked to wxWidgets statically. Wine should support calling HeapSize() on pointers returned from GlobalLock(), like Windows does.