https://bugs.winehq.org/show_bug.cgi?id=57929
Bug ID: 57929 Summary: Illegal pointer may be dereferenced Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: win32u Assignee: wine-bugs@winehq.org Reporter: 1367173408@qq.com Distribution: ---
Created attachment 78182 --> https://bugs.winehq.org/attachment.cgi?id=78182 execution trace
I have found a risk that an illegal pointer may be dereferenced.
At line 119 in file `dlls/win32u/ntgdi_private.h`, the function `pop_dc_driver` may return NULL.
At line 750 in file `dlls/win32u/path.c`, the return value of `pop_dc_driver`, which may be NULL, is used as a real argument of call for `pDeleteDC` (`pathdrv_DeleteDC`).
Then, as shown by step 3 and 4 in the attached image, a illegal address may be returned by function `get_path_physdev`, because `dev` is NULL value (0) and `offsetof(type, field)` is subtracted from it.
Finally, as shown by step 5, the illegal pointer may be dereferenced, which may cause unexpected application behavior or crashes.
https://bugs.winehq.org/show_bug.cgi?id=57929
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Alexandre Julliard julliard@winehq.org --- That can't happen, we know that there's a driver at that point.
Please don't file a bug for every static analyzer false positive, there are too many of them.
https://bugs.winehq.org/show_bug.cgi?id=57929
--- Comment #2 from 1367173408@qq.com --- Thank you for your patience! But I noticed that there are five callsites of the function `pop_dc_driver`, two of which check if its return value is NULL(line 819 in file `dlls/win32u/path.c` and line 800 in file `dlls/win32u/dibdrv/dc.c`). So I am confused that why is the return value of the callsite mentioned in my report guaranteed to be non-null?(In reply to Alexandre Julliard from comment #1)
That can't happen, we know that there's a driver at that point.
Please don't file a bug for every static analyzer false positive, there are too many of them.
https://bugs.winehq.org/show_bug.cgi?id=57929
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- In some cases we know that there's a driver already, in other cases it's possible that there isn't one. It depends on what the function is doing and where it's called from.
-
WineHQ Bugzilla