[Bug 28769] New: shell32/shellpath tests: test_knownFolders() triggers use-after-free and invalid free in foldermanager
http://bugs.winehq.org/show_bug.cgi?id=28769
Bug #: 28769 Summary: shell32/shellpath tests: test_knownFolders() triggers use-after-free and invalid free in foldermanager Product: Wine Version: 1.3.30 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: shell32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
Running "make shellpath.ok" in shell32/tests, Valgrind complains:
Invalid read of size 1 at foldermanager_GetFolder (shellpath.c:3764) by test_knownFolders (shellpath.c:2199) by func_shellpath (shellpath.c:2517) by run_test (test.h:556) by main (test.h:624) Address 0x7f041870 is 472 bytes inside a block of size 1,024 free'd at RtlFreeHeap (heap.c:262) by add_with_alpha (imagelist.c:237) by ImageList_ReplaceIcon (imagelist.c:2508) by SIC_IconAppend (iconcache.c:284) by SIC_Initialize (iconcache.c:428) by DllMain (shell32_main.c:1200)
Invalid read of size 1 at foldermanager_GetFolder (shellpath.c:3764) by test_knownFolders (shellpath.c:2233) by func_shellpath (shellpath.c:2517) by run_test (test.h:556) by main (test.h:624) Address 0x7f041870 is 472 bytes inside a block of size 1,024 free'd at RtlFreeHeap (heap.c:262) by add_with_alpha (imagelist.c:237) by ImageList_ReplaceIcon (imagelist.c:2508) by SIC_IconAppend (iconcache.c:284) by SIC_Initialize (iconcache.c:428) by DllMain (shell32_main.c:1200)
Invalid free() / delete / delete[] at RtlFreeHeap (heap.c:262) by foldermanager_Release (shellpath.c:3684) by test_knownFolders (shellpath.c:2485) by func_shellpath (shellpath.c:2517) by run_test (test.h:556) by main (test.h:624) Address 0x7f041870 is 472 bytes inside a block of size 1,024 free'd at RtlFreeHeap (heap.c:262) by add_with_alpha (imagelist.c:237) by ImageList_ReplaceIcon (imagelist.c:2508) by SIC_IconAppend (iconcache.c:284) by SIC_Initialize (iconcache.c:428) by DllMain (shell32_main.c:1200)
https://bugs.winehq.org/show_bug.cgi?id=28769
--- Comment #1 from Austin English austinenglish@gmail.com --- Invalid read of size 1 at bcmp (mc_replace_strmem.c:935) by is_knownfolder (shellpath.c:3790) by foldermanager_GetFolder (shellpath.c:3819) by test_knownFolders (shobjidl.h:16490) by func_shellpath (shellpath.c:2660) by run_test (test.h:584) by main (test.h:654) Address 0x4abbe28 is 18 bytes after a block of size 254 free'd at notify_free (heap.c:263) by RtlFreeHeap (heap.c:1762) by HeapFree (heap.c:276) by load_library (module.c:940) by LoadLibraryExW (module.c:990) by COMPOBJ_DllList_Add (compobj.c:495) by apartment_getclassobject (compobj.c:1335) by get_inproc_class_object (compobj.c:2894) by CoGetClassObject (compobj.c:3032) by CoCreateInstance (compobj.c:3197) by test_knownFolders (shellpath.c:2077) by func_shellpath (shellpath.c:2660) by run_test (test.h:584) by main (test.h:654)
still present.
https://bugs.winehq.org/show_bug.cgi?id=28769
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, source, testcase, | |valgrind
https://bugs.winehq.org/show_bug.cgi?id=28769
Andrew Eikum aeikum@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aeikum@codeweavers.com
--- Comment #2 from Andrew Eikum aeikum@codeweavers.com --- I think this should be fixed by:
commit e4868d563574853d40ca04adfc28db1c19ca9dbf Author: Andrew Eikum aeikum@codeweavers.com Date: Wed Apr 8 10:59:33 2015 -0500
shell32: Allocate returned array in IKnownFolderManager::GetFolderIds.
https://bugs.winehq.org/show_bug.cgi?id=28769
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |e4868d563574853d40ca04adfc2 | |8db1c19ca9dbf Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #3 from Austin English austinenglish@gmail.com --- (In reply to Andrew Eikum from comment #2)
I think this should be fixed by:
commit e4868d563574853d40ca04adfc28db1c19ca9dbf Author: Andrew Eikum aeikum@codeweavers.com Date: Wed Apr 8 10:59:33 2015 -0500
shell32: Allocate returned array in IKnownFolderManager::GetFolderIds.
Yep, thanks.
https://bugs.winehq.org/show_bug.cgi?id=28769
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.41.
-
wine-bugs@winehq.org