[Bug 54564] New: Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

List overview All Threads

newer

older

[Bug 50941] New: TIP-Integral:...

[Bug 54458] New: vbscript memory...

WineHQ Bugzilla

23 Feb 2023 23 Feb '23

3:55 p.m.

https://bugs.winehq.org/show_bug.cgi?id=54564

Bug ID: 54564 Summary: Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph Product: Wine Version: 8.2 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: richedit Assignee: wine-bugs@winehq.org Reporter: jinoh.kang.kr@gmail.com CC: huw@codeweavers.com Distribution: ---

Rich Edit crashes with NULL dereference when Ctrl+Right is pressed at past the final paragraph.

Steps to reproduce:

1. Open Wordpad. 2. Press "A". 3. Press Home or Left. 4. Press Ctrl+Right. 5. Press Ctrl+Right.

Expected behaviour:

Wine doesn't crash.

Actual behaviour:

Wine crashes inside `para_next`, because `ME_MoveCursorWords` tries to fetch `next_para` of NULL paragraph pointer.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

Show replies by date

WineHQ Bugzilla

24 Feb 24 Feb

4:42 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Jinoh Kang jinoh.kang.kr@gmail.com changed:

--- Comment #1 from Jinoh Kang jinoh.kang.kr@gmail.com --- The following diagnosis has been performed based on Wine commit 15b176b4f4945d7abfb4adbddc7f140ba1765855.

Symptom:

As of Wine 8.2 (but going as far back as 5.20), ME_MoveCursorWords can produce an invalid cursor which eventually causes NULL pointer dereference in the same function via user trigger.

Background:

- A ME_Cursor instance represents a specific position inside the rich text document being edited. A valid ME_Cursor maintains the invariant that `pRun` is a child of of `pPara`.

- ME_MoveCursorWords is a function that implements cursor motion in "word units." As part of its implicit contract, it should produce a valid ME_Cursor via the `cursor` output parameter.

Diagnosis:

- ME_MoveCursorWords violates the contract w.r.t the `cursor` output parameter in the "forward movement" case.

- When `other_run` is NULL, ME_MoveCursorWords re-assigns the `para` variable but leaves `run` as-is. This re-assignment makes `run` stale (semantically), and disrupts the previously established invariant that `run` should be a child of `para`. The `run` and `para` values are latter copied to `cursor->pRun` and `cursor->pPara`, causing the contract violation.

- This is a regression. The first revision that introduces this breakage is commit 586e31a1e6e524e593897285a82b90a08303db33.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

25 Feb 25 Feb

12:12 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Jinoh Kang jinoh.kang.kr@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression, source

--- Comment #2 from Jinoh Kang jinoh.kang.kr@gmail.com --- Another symptom of this issue is that the cursor may "float around" if pressing Ctrl+Right while the cursor was at the end of the paragraph, since pPara points to the next paragraph but pRun points to a run in the first paragraph.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

2 Mar 2 Mar

2:04 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Jinoh Kang jinoh.kang.kr@gmail.com changed:

--- Comment #3 from Jinoh Kang jinoh.kang.kr@gmail.com --- Fixed in 7e28fa5c558f1417f8f033cb843424778bbfb8b8.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

3 Mar 3 Mar

9:29 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.3.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

1 Apr 1 Apr

5:51 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Michael Stefaniuc mstefani@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |8.0.x

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

20 Apr 20 Apr

6:51 p.m.

New subject: [Bug 54564] Rich Edit crashes when Ctrl+Right is pressed at past the final paragraph

https://bugs.winehq.org/show_bug.cgi?id=54564

Michael Stefaniuc mstefani@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|8.0.x |---

--- Comment #5 from Michael Stefaniuc mstefani@winehq.org --- Removing the 8.0.x milestone from bug fixes included in 8.0.1.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

616

Age (days ago)

672

Last active (days ago)

wine-bugs@winehq.org

6 comments

1 participants

tags (0)

participants (1)

WineHQ Bugzilla