http://bugs.winehq.org/show_bug.cgi?id=20553
--- Comment #10 from Nikolay Sivov bunglehead@gmail.com 2009-11-14 20:05:25 --- (In reply to comment #9)
(In reply to comment #8)
Here was another problem discussed in this thread (corrupting heap overwriting area marked free), and it doesn't exist any more. Currently I see a possible fix for that using following condition:
HeapSize(GetProcessHeap(), 0, himl) >= sizeof(void*)
to determine if required field available to read. This will prevent from reading out of allocated area. Failure will be indicated by -1 return value. This check should be next after checking himl for null.
P.S. I'm using sizeof(void*) here instead of sizeof(DWORD) cause of bug 20696 where I think it's possible to use vtable pointer as a magic (HIMAGELIST isn't reusable for another process anyway).
HeapSize is not a reliable way to test for a valid handle. If you want to check vtable or magic you can do that just as well without a HeapSize first.
Then it's a application bug here. I thought this invalid read caused by accessing first member (magic or vtable). If there's no way to do such check it's a chromium problem.