On 04/26/2011 11:26 AM, Andrew Eikum wrote:
dump_fmt
- TRACE("cbSize: %u\n", fmt->cbSize);
Old Wine code contains several comments about never ever reading cbSize in the WAVE_FORMAT_PCM case because it's a potential read past the structure and may cause a segmentation fault. Is it not a valid concern anymore?
WAVEFORMATEX contains the cbSize slot. However if the winmm:wave* functions pass through their argument to mmdevapi, it may well end up to be the smaller PCMWAVEFORMAT only.
You're right, and I wasn't careful enough about this. WinMM has a test for it, and I'll add a similar one to mmdevapi.
Hm, to my surprise it seems MS no longer does this check as of Win7.
When cbSize is out of bounds, it returns a strange error on Vista (AUDCLNT_E_DEVICE_INVALIDATED) and crashes on Win7: https://testbot.winehq.org/JobDetails.pl?Key=10587
When cbSize is in bounds, everything works fine: https://testbot.winehq.org/JobDetails.pl?Key=10588
So, I think I'll leave it crashing. We'll just have to be careful in WinMM to pass a valid structure through.