Bernhard Übelacker (@bernhardu) commented about dlls/vccorlib140/tests/vccorlib.c:
- obj = pCreateValue(TYPECODE_STRING, &str);
- WindowsDeleteString(str);
- ok(obj != NULL || broken(obj == NULL), "got obj %p\n", obj); /* Returns NULL on i386 Windows 10. */
- if (obj)
- {
type = PropertyType_Empty;hr = IPropertyValue_get_Type(obj, &type);ok(hr == S_OK, "got hr %#lx\n", hr);ok(type == PropertyType_String, "got type %d\n", type);str = NULL;hr = IPropertyValue_GetString(obj, &str);ok(hr == S_OK, "got hr %#lx\n", hr);ok(str != NULL, "got str %p\n", str);buf = WindowsGetStringRawBuffer(str, NULL);ok(buf && !wcscmp(buf, L"foo"), "got buf %s\n", debugstr_w(buf));WindowsDeleteString(str);
@vibhavp, in my latest ASan run the vccorlib140:vccorlib tests shows up with a heap-use-after-free in WindowsGetStringRawBuffer in line 951. Is `str` supposed to be a new allocation after line 948?
``` ==vccorlib140_test.exe==1096==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f6707c03ba0 at pc 0x6ffffccb8d13 bp 0x7ffffe1ffa20 sp 0x7ffffe1ffa68 READ of size 8 at 0x7f6707c03ba0 thread T0 #0 0x6ffffccb8d12 in WindowsGetStringRawBuffer /home/benutzer/wine-asan-pe/wine/dlls/combase/string.c:277:25 #1 0x000140004458 in test_CreateValue /home/benutzer/wine-asan-pe/wine/dlls/vccorlib140/tests/vccorlib.c:951:15
0x7f6707c03ba0 is located 16 bytes inside of 36-byte region [0x7f6707c03b90,0x7f6707c03bb4) freed by thread T0 here: #0 0x6ffffe86bb31 in free C:/llvm-project-main/compiler-rt/lib/asan/asan_malloc_win.cpp:71:3 #1 0x6ffffccb8762 in WindowsDeleteString /home/benutzer/wine-asan-pe/wine/dlls/combase/string.c:154:9 #2 0x00014000431c in test_CreateValue /home/benutzer/wine-asan-pe/wine/dlls/vccorlib140/tests/vccorlib.c:939:5
previously allocated by thread T0 here: #0 0x6ffffe86bc41 in malloc C:/llvm-project-main/compiler-rt/lib/asan/asan_malloc_win.cpp:80:3 #1 0x6ffffccb844b in alloc_string /home/benutzer/wine-asan-pe/wine/dlls/combase/string.c:69:12 #2 0x6ffffccb825b in WindowsCreateString /home/benutzer/wine-asan-pe/wine/dlls/combase/string.c:103:10 #3 0x0001400042c9 in test_CreateValue /home/benutzer/wine-asan-pe/wine/dlls/vccorlib140/tests/vccorlib.c:936:10 ``` [full ASan output](https://gitlab.winehq.org/bernhardu/wine/-/blob/asan-pe_2025-08-17_wine-10.1...)