The summary of how the bug happens is:
1. union_memsize gets called with a pointer to uninitialized `dummy`. ``` static unsigned int write_union_tfs(FILE *file, const attr_list_t *attrs, type_t *type, unsigned int *tfsoff) { [...] unsigned int dummy; [...] size = union_memsize(fields, &dummy); ```
2. `union_memsize` reads `pmaxa` (which points to dummy) to set the initial value of align.
``` static unsigned int union_memsize(const var_list_t *fields, unsigned int *pmaxa) { unsigned int size, maxs = 0; unsigned int align = *pmaxa; const var_t *v;
if (fields) LIST_FOR_EACH_ENTRY( v, fields, const var_t, entry ) { /* we could have an empty default field with NULL type */ if (v->declspec.type) { size = type_memsize_and_alignment(v->declspec.type, &align); if (maxs < size) maxs = size; if (*pmaxa < align) *pmaxa = align; } } ```
`type_memsize_and_alignment` then descends down and passes along the uninitialized `align`. `type_memsize_and_alignment` will use this to find the required alignment for the type (and will round up the computed type size to the uninitialized alignment if necessary).
This patch just initializes `dummy` to 0 (which means the 'real' alignment value) should set the value to a real alignment. --- tools/widl/typegen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/widl/typegen.c b/tools/widl/typegen.c index b2d9ab5..eb0fa5e 100644 --- a/tools/widl/typegen.c +++ b/tools/widl/typegen.c @@ -3327,7 +3327,7 @@ static unsigned int write_union_tfs(FILE *file, const attr_list_t *attrs, unsigned int nbranch = 0; type_t *deftype = NULL; short nodeftype = 0xffff; - unsigned int dummy; + unsigned int dummy = 0; var_t *f;
if (processed(type) && -- 2.35.1