[Bug 30850] New: use-after-free error when running Gigasoft ProEssentials graph component?
http://bugs.winehq.org/show_bug.cgi?id=30850
Bug #: 30850 Summary: use-after-free error when running Gigasoft ProEssentials graph component? Product: Wine Version: 1.5.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
A real app that uses gigasoft's graphing component is having a strange clipping problem when using gigasoft's "scientific graph" component. Their canned demo doesn't run well enough to test that component (see bug 30826), so I extracted just the part that displays a "scientific" graph. It seems to run fine, but valgrind complains about some use-after-free problems:
Invalid read of size 4 at HEAP_FindFreeBlock (heap.c:1003) by RtlAllocateHeap (heap.c:1688) by init_region (region.c:485) by REGION_RegionOp (region.c:1742) by REGION_UnionRegion (region.c:2170) by CombineRgn (region.c:1366) by add_cap.isra.7 (objects.c:1227) by wide_line_segments (objects.c:1470) by wide_pen_lines (objects.c:1526) by dibdrv_LineTo (graphics.c:891) by LineTo (painting.c:242) by ??? (in /home/dank/demo100/PEGRP32E.DLL) by EnumMetaFile (metafile.c:537) by ??? (in /home/dank/demo100/PEGRP32E.DLL)
This looks a lot like the warn+heap crash in bug 30826.
Right-clicking on the demo and exporting it as a .wmf, then loading it in to a simple app that plays back metafiles with PlayMetaFile under valgrind shows no warnings in playback.
Source, executable, and a script to install visual C++ and compile the executable are attached. To reproduce: see last few lines of demo.sh in the attached archive.
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.gigasoft.com/PE7 | |-Pro-Setup.exe
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #40399|0 |1 is obsolete| |
--- Comment #2 from Dan Kegel dank@kegel.com 2012-06-05 19:09:42 CDT --- Created attachment 40401 --> http://bugs.winehq.org/attachment.cgi?id=40401 More minimal test case. Valgrind log now includes +relay,+metafile output, too.
Here's a smaller test case. I cut it down as far as possible; removing anything else seems to not trigger the problem.
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|use-after-free error when |Heap problem when running |running Gigasoft |Gigasoft ProEssentials |ProEssentials graph |graph component? |component? |
--- Comment #3 from Dan Kegel dank@kegel.com 2012-06-06 18:52:44 CDT --- That invalid read in HEAP_FindFreeBlock seems like a heap valgrind annotation problem, not a normal use-after-free.
The block it finds was created when HeapReAlloc shrank a block, and its metadata was marked accessible than. Maybe I'll log all the mark_* calls, and write a script to check to see if any of them marked that particular metadata inaccessible.
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |testcase URL|http://www.gigasoft.com/PE7 | |-Pro-Setup.exe | Summary|Heap problem when running |Invalid valgrind warnings |Gigasoft ProEssentials |after HeapReAlloc |graph component? |
--- Comment #4 from Dan Kegel dank@kegel.com 2012-06-09 21:43:45 CDT --- Here's an even smaller testcase:
#include <windows.h>
int main(int argc, char **argv) { void *p, *q, *r; p = HeapAlloc(GetProcessHeap(), 0, 8100); // Commenting out HeapReAlloc avoids valgrind warning q = HeapReAlloc(GetProcessHeap(), 0, p, 4100); // This heap operation generates spurious warnings under valgrind r = HeapAlloc(GetProcessHeap(), 0, 1234); return *(char *)q; }
so it's pretty clearly a problem in our heap annotations... and happily the problem is obvious: notify_realloc() was called after HEAP_ShrinkBlock in one place, clobbering its annotations. Reversing the order of the calls fixes the problem.
Patch sent, http://www.winehq.org/pipermail/wine-patches/2012-June/114929.html
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll
http://bugs.winehq.org/show_bug.cgi?id=30850
--- Comment #1 from Dan Kegel dank@kegel.com 2012-06-05 16:27:15 CDT --- Created attachment 40399 --> http://bugs.winehq.org/attachment.cgi?id=40399 Source, binary, log, and build script for small demo program.
http://bugs.winehq.org/show_bug.cgi?id=30850
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |9af12506b0395b9d6bc035b31e6 | |a9f8dde451650 Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #5 from Austin English austinenglish@gmail.com 2012-07-26 12:51:55 CDT --- http://source.winehq.org/git/wine.git/commitdiff/9af12506b0395b9d6bc035b31e6...
http://bugs.winehq.org/show_bug.cgi?id=30850
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |
--- Comment #6 from Dan Kegel dank@kegel.com 2012-07-26 12:53:17 CDT --- Except not. My patch was shamefully insufficient.
https://bugs.winehq.org/show_bug.cgi?id=30850
--- Comment #7 from Austin English austinenglish@gmail.com --- Please retest in current (1.7.17 or newer) wine.
https://bugs.winehq.org/show_bug.cgi?id=30850
--- Comment #8 from Austin English austinenglish@gmail.com --- Created attachment 48702 --> https://bugs.winehq.org/attachment.cgi?id=48702 valgrind output
https://bugs.winehq.org/show_bug.cgi?id=30850
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind
--- Comment #9 from Austin English austinenglish@gmail.com --- I used winemaker to build the testcase: mkdir a cd a vi foo.c winemaker --wine32 . make export VALGRIND_OPTS="-q --trace-children=yes --track-origins=yes --gen-suppressions=all --suppressions=$WINESRC/tools/valgrind/valgrind-suppressions-ignore --suppressions=$WINESRC/tools/valgrind/valgrind-suppressions-external --suppressions=$WINESRC/tools/valgrind/valgrind-suppressions-known-bugs --suppressions=$WINESRC/tools/valgrind/valgrind-suppressions-gecko --leak-check=full --num-callers=20 --workaround-gcc296-bugs=yes --vex-iropt-register-updates=allregs-at-mem-access" export WINE_HEAP_TAIL_REDZONE=32 export OANOCACHE=1
/opt/valgrind/bin/valgrind wine a.exe.so
https://bugs.winehq.org/show_bug.cgi?id=30850
joaopa jeremielapuree@yahoo.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jeremielapuree@yahoo.fr
--- Comment #10 from joaopa jeremielapuree@yahoo.fr --- Created attachment 67601 --> https://bugs.winehq.org/attachment.cgi?id=67601 Compiled test
Looks like the bug is fixed in wine-5.11 Can an administrator close this bug as FIXED?
valgrind wine test.exe ==4837== Memcheck, a memory error detector ==4837== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==4837== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==4837== Command: wine test.exe ==4837==
-
wine-bugs@winehq.org -
WineHQ Bugzilla