http://bugs.winehq.org/show_bug.cgi?id=28732
Bug #: 28732 Summary: use-after-free in MONTHCAL_UpdateSize Product: Wine Version: 1.3.30 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: comctl32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
While running "make monthcal.ok" in comctl32/tests, valgrind complains
Invalid read of size 4 at MONTHCAL_UpdateSize (monthcal.c:2556) by MONTHCAL_WindowProc (monthcal.c:2739) by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so) by call_window_proc (winproc.c:242) by WINPROC_CallProcAtoW (winproc.c:404) by WINPROC_call_window (winproc.c:910) by call_window_proc (message.c:2211) by send_message (message.c:3084) by SendMessageA (message.c:3286) by WIN_CreateWindowEx (win.c:1448) by CreateWindowExA (win.c:1550) by create_monthcal_control (monthcal.c:577) by func_monthcal (monthcal.c:1524) Address 0x7f045618 is 8 bytes inside a block of size 112 free'd at RtlReAllocateHeap (heap.c:262) by HeapReAlloc (heap.c:277) by GlobalReAlloc (heap.c:651) by LocalReAlloc (heap.c:1075) by ReAlloc (comctl32undoc.c:99) by MONTHCAL_UpdateSize (monthcal.c:2541) by MONTHCAL_WindowProc (monthcal.c:2739) by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so) by call_window_proc (winproc.c:242) by WINPROC_CallProcAtoW (winproc.c:404) by WINPROC_call_window (winproc.c:910) by call_window_proc (message.c:2211) by send_message (message.c:3084) by SendMessageA (message.c:3286) by WIN_CreateWindowEx (win.c:1448) by CreateWindowExA (win.c:1550) by create_monthcal_control (monthcal.c:577) by func_monthcal (monthcal.c:1524)
A quick look at the source makes me think that the pointer 'title' might need to be updated when the realloc is done.
http://bugs.winehq.org/show_bug.cgi?id=28732
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com 2011-10-18 02:00:40 CDT --- Patch sent for that http://www.winehq.org/pipermail/wine-patches/2011-October/107992.html
http://bugs.winehq.org/show_bug.cgi?id=28732
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |ea96417f83fad63b696f0a7132a | |ca89ada11b8ff Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #2 from Austin English austinenglish@gmail.com 2011-10-18 13:19:35 CDT --- (In reply to comment #1)
Patch sent for that http://www.winehq.org/pipermail/wine-patches/2011-October/107992.html
http://source.winehq.org/git/wine.git/commitdiff/ea96417f83fad63b696f0a7132a...
http://bugs.winehq.org/show_bug.cgi?id=28732
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org 2011-10-21 13:49:51 CDT --- Closing bugs fixed in 1.3.31.
-
wine-bugs@winehq.org