http://bugs.winehq.org/show_bug.cgi?id=20896
Summary: Use-after-free in DdeClientTransaction in user32 dde tests Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: user32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
http://kegel.com/wine/valgrind/logs/2009-11-30-19.16/vg-user32_dde.txt says Invalid read of size 2 at GlobalFree (heap.c:767) by WDML_FreeTransaction (dde_misc.c:2439) by DdeClientTransaction (dde_client.c:1228) by test_ddeml_client (dde.c:392) by func_dde (dde.c:2357) by run_test (test.h:535) by main (test.h:585) Address 0x7f075e80 is not stack'd, malloc'd or (recently) free'd It's a little hard to see what's going on, but it appears that the memory in question was indeed recently freed, judging by the attached log, which was generated by the command
WINEDEBUG=+relay,+heap valgrind --trace-children=yes wine user32_test.exe.so dde.c
and edited to show just the area of interest.
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #1 from Dan Kegel dank@kegel.com 2009-12-01 20:36:21 --- Created an attachment (id=25042) --> (http://bugs.winehq.org/attachment.cgi?id=25042) Section of log showing what happens during DdeClientTransaction
The log shows the memory getting allocated early in DdeClientTransaction, freed towards the end, and then freed again.
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #2 from Austin English austinenglish@gmail.com 2011-02-09 19:47:26 CST --- Still present: http://austinenglish.com/logs/valgrind/2011-02-08-15.53/vg-user32_dde.txt
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #3 from Dan Kegel dank@kegel.com 2011-10-15 16:42:43 CDT --- Still present. Log seems more informative now:
Invalid read of size 2 at GlobalFree (heap.c:758) by WDML_FreeTransaction (dde_misc.c:2444) by DdeClientTransaction (dde_client.c:1228) by func_dde (dde.c:406) by run_test (test.h:556) by main (test.h:624) Address 0x7f033e68 is 0 bytes inside a block of size 8 free'd at notify_free (heap.c:262) by RtlFreeHeap (heap.c:1748) by HeapFree (heap.c:272) by GlobalFree (heap.c:770) by WDML_HandleReply (dde_client.c:781) by WDML_SyncWaitTransactionReply (dde_client.c:1053) by WDML_ClientHandle (dde_client.c:1126) by DdeClientTransaction (dde_client.c:1224) by func_dde (dde.c:406) by run_test (test.h:556) by main (test.h:624)
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #4 from Dan Kegel dank@kegel.com 2011-10-19 20:38:15 CDT --- Here's an slightly less inlined stack:
Invalid read of size 2 at GlobalFree (heap.c:758) by WDML_FreeTransaction (dde_misc.c:2444) by DdeClientTransaction (dde_client.c:1228) by test_ddeml_client (dde.c:406, 416) by func_dde (dde.c:2702) Address 0x7f032ab8 is 0 bytes inside a block of size 8 free'd at notify_free (heap.c:262) by RtlFreeHeap (heap.c:1748) by HeapFree (heap.c:272) by GlobalFree (heap.c:770) by WDML_HandlePokeReply (dde_client.c:781) by WDML_HandleReply (dde_client.c:946) by WDML_SyncWaitTransactionReply (dde_client.c:1053) by WDML_ClientHandle (dde_client.c:1126) by DdeClientTransaction (dde_client.c:1224) by test_ddeml_client (dde.c:406) by func_dde (dde.c:2702)
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #5 from Austin English austinenglish@gmail.com --- Still in wine-1.7.11-206-g82b3813 ==21199== Invalid read of size 2 ==21199== at 0x7B84490C: GlobalFree (heap.c:758) ==21199== by 0x534B100: WDML_FreeTransaction (dde_misc.c:1985) ==21199== by 0x5347579: DdeClientTransaction (dde_client.c:1226) ==21199== by 0x4EEBDEF: test_ddeml_client (dde.c:403) ==21199== by 0x4EF2D8A: func_dde (dde.c:2697) ==21199== by 0x4EC9EEB: main (test.h:584)
http://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #6 from Austin English austinenglish@gmail.com --- Created attachment 47388 --> http://bugs.winehq.org/attachment.cgi?id=47388 valgrind log
https://bugs.winehq.org/show_bug.cgi?id=20896
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind
https://bugs.winehq.org/show_bug.cgi?id=20896
Thomas Faller tfaller1@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tfaller1@gmx.de
--- Comment #7 from Thomas Faller tfaller1@gmx.de --- I can't reproduce this bug with wine 1.9.0. Can someone confirm this please?
https://bugs.winehq.org/show_bug.cgi?id=20896
--- Comment #8 from Nikolay Sivov bunglehead@gmail.com --- Yes, I can reproduce invalid read on current Wine + valgrind-svn:
--- ==13031== Invalid read of size 2 ==13031== at 0x7B843878: GlobalFree (heap.c:762) ==13031== by 0x4F5F4F1: WDML_FreeTransaction (dde_misc.c:1985) ==13031== by 0x4F5BF33: DdeClientTransaction (dde_client.c:1226) ==13031== by 0x4D06233: test_ddeml_client (dde.c:403) ==13031== by 0x4D0BBD8: func_dde (dde.c:2696) ==13031== by 0x4CE9003: main (test.h:584) ==13031== Address 0x495f8f0 is 16 bytes after a recently re-allocated block of size 48 alloc'd ==13031== at 0x7BC507E9: RtlAllocateHeap (heap.c:254) ==13031== by 0x4F5F3C8: WDML_AllocTransaction (dde_misc.c:1919) ==13031== by 0x4F5BBEE: DdeClientTransaction (dde_client.c:721) ==13031== by 0x4D06233: test_ddeml_client (dde.c:403) ==13031== by 0x4D0BBD8: func_dde (dde.c:2696) ==13031== by 0x4CE9003: main (test.h:584) ---
https://bugs.winehq.org/show_bug.cgi?id=20896
Jactry Zeng jactry92@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=20896
Thomas Faller tfaller1@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |4e7a7d01ffd1bbbb07acfe08ebf | |74046ad1f9d9a Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #9 from Thomas Faller tfaller1@gmx.de --- Fixed by 4e7a7d01ffd1bbbb07acfe08ebf74046ad1f9d9a.
https://bugs.winehq.org/show_bug.cgi?id=20896
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #10 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.9.2.
https://bugs.winehq.org/show_bug.cgi?id=20896
Michael Stefaniuc mstefani@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |1.8.x CC| |mstefani@redhat.com
https://bugs.winehq.org/show_bug.cgi?id=20896
Michael Stefaniuc mstefani@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|1.8.x |---
--- Comment #11 from Michael Stefaniuc mstefani@redhat.com --- Removing 1.8.x milestone from bugs included in 1.8.5.
-
wine-bugs@winehq.org