Re: [PATCH 0/1] MR8419: ddraw: Fix use-after-free of the ddraw object.

On Wed Jun 25 01:09:14 2025 +0000, Yuxuan Shui wrote:

yep, here's the stack trace:

01e4:01e8:err:asan:asan_report ASan: read of 8 bytes at
00007274657ED0A0, caller 00006FFFE254BE7C (__asan_report_load8_noabort, ../dlls/asan_dynamic_thunk/thunk.c:1020,1)
01e4:01e8:err:asan:asan_report stacktrace:
01e4:01e8:err:asan:asan_report 	00006FFFE254BE7C
(__asan_report_load8_noabort, ../dlls/asan_dynamic_thunk/thunk.c:1020,1)
01e4:01e8:err:asan:asan_report 	00006FFFE25CC7C6
(ddraw_surface_delete_attached_surface, ../dlls/ddraw/surface.c:2221,71)
01e4:01e8:err:asan:asan_report 	00006FFFE25D13BD
(ddraw_surface_wined3d_object_destroyed, ../dlls/ddraw/surface.c:6056,12)
01e4:01e8:err:asan:asan_report 	00006FFFDCC09F06
(wined3d_texture_sub_resources_destroyed, ../dlls/wined3d/texture.c:1124,34)
01e4:01e8:err:asan:asan_report 	00006FFFDC612C93
(adapter_gl_destroy_texture, ../dlls/wined3d/adapter_gl.c:4548,22)
01e4:01e8:err:asan:asan_report 	00006FFFDCBECC04
(wined3d_texture_decref, ../dlls/wined3d/texture.c:1642,13)
01e4:01e8:err:asan:asan_report 	00006FFFE25C7DD5 (ddraw_surface_cleanup, ../dlls/ddraw/surface.c:614,1)
01e4:01e8:err:asan:asan_report 	00006FFFE25CEAE0
(ddraw_surface_release_iface, ../dlls/ddraw/surface.c:646,9)
01e4:01e8:err:asan:asan_report 	00006FFFE25B09C0
(ddraw_surface1_Release, ../dlls/ddraw/surface.c:759,12)
01e4:01e8:err:asan:asan_report 	00006FFFE2577CE7
(d3d_device_inner_Release, ../dlls/ddraw/device.c:345,9)
01e4:01e8:err:asan:asan_report 	00006FFFE255E144 (d3d_device2_Release, ../dlls/ddraw/device.c:381,1)
01e4:01e8:err:asan:asan_report 	00007FFFFE1CD316 (test_d3d_state_reset, ../dlls/ddraw/tests/ddraw2.c:16927,5)
01e4:01e8:err:asan:asan_report 	00007FFFFE078623 (func_ddraw2, ../dlls/ddraw/tests/ddraw2.c:17379,5)
01e4:01e8:err:asan:asan_report 	00007FFFFE088B23 (run_test, ../include/wine/test.h:785,9)
01e4:01e8:err:asan:asan_report 	00007FFFFE08123F (main, ../include/wine/test.h:903,1)
01e4:01e8:err:asan:asan_report 	00007FFFFE08147E (mainCRTStartup, ../dlls/msvcrt/crt_main.c:60,11)
01e4:01e8:err:asan:asan_report 	00006FFFFD075013 (BaseThreadInitThunk, ../dlls/kernel32/thread.c:61,5)
01e4:01e8:err:asan:asan_report 	00006FFFFE3DFDC3 (RtlUserThreadStart)
01e4:01e8:err:asan:asan_report info:
01e4:01e8:err:asan:asan_report 	heap-use-after-free, addr 00007274657ED0A0
01e4:01e8:err:asan:asan_report 	allocated user region:
[00007274657ED020, 00007274657ED168) 328
01e4:01e8:err:asan:asan_report 	allocated by 15f61
01e4:01e8:err:asan:asan_report 	00006FFFFE3F7B52 (RtlAllocateHeap, ../dlls/ntdll/heap.c:2320,5)
01e4:01e8:err:asan:asan_report 	00006FFFF794E803 (msvcrt_heap_alloc, ../dlls/msvcrt/heap.c:72,1)
01e4:01e8:err:asan:asan_report 	00006FFFF7903820 (calloc, ../dlls/msvcrt/heap.c:397,1)
01e4:01e8:err:asan:asan_report 	00006FFFE2542809 (DDRAW_Create, ../dlls/ddraw/main.c:325,19)
01e4:01e8:err:asan:asan_report 	00006FFFE2546E0F (DirectDrawCreate, ../dlls/ddraw/main.c:365,10)
01e4:01e8:err:asan:asan_report 	00007FFFFE04DD37 (create_ddraw, ../dlls/ddraw/tests/ddraw2.c:455,8)
01e4:01e8:err:asan:asan_report 	00007FFFFE1CBA06 (test_d3d_state_reset, ../dlls/ddraw/tests/ddraw2.c:16853,13)
01e4:01e8:err:asan:asan_report 	00007FFFFE078623 (func_ddraw2, ../dlls/ddraw/tests/ddraw2.c:17379,5)
01e4:01e8:err:asan:asan_report 	00007FFFFE088B23 (run_test, ../include/wine/test.h:785,9)
01e4:01e8:err:asan:asan_report 	00007FFFFE08123F (main, ../include/wine/test.h:903,1)
01e4:01e8:err:asan:asan_report 	00007FFFFE08147E (mainCRTStartup, ../dlls/msvcrt/crt_main.c:60,11)
01e4:01e8:err:asan:asan_report 	00006FFFFD075013 (BaseThreadInitThunk, ../dlls/kernel32/thread.c:61,5)
01e4:01e8:err:asan:asan_report 	00006FFFFE3DFDC3 (RtlUserThreadStart)
01e4:01e8:err:asan:asan_report 	freed by 161ba
01e4:01e8:err:asan:asan_report 	00006FFFFE411A8D (RtlFreeHeap, ../dlls/ntdll/heap.c:2429,13)
01e4:01e8:err:asan:asan_report 	00006FFFF794E8CB (msvcrt_heap_free, ../dlls/msvcrt/heap.c:115,1)
01e4:01e8:err:asan:asan_report 	00006FFFF7932CC0 (free, ../dlls/msvcrt/heap.c:415,1)
01e4:01e8:err:asan:asan_report 	00006FFFE25A3581 (ddraw_destroy, ../dlls/ddraw/ddraw.c:451,1)
01e4:01e8:err:asan:asan_report 	00006FFFE2592569 (ddraw2_Release, ../dlls/ddraw/ddraw.c:496,12)
01e4:01e8:err:asan:asan_report 	00007FFFFE1CD2BE (test_d3d_state_reset, ../dlls/ddraw/tests/ddraw2.c:16926,5)
01e4:01e8:err:asan:asan_report 	00007FFFFE078623 (func_ddraw2, ../dlls/ddraw/tests/ddraw2.c:17379,5)
01e4:01e8:err:asan:asan_report 	00007FFFFE088B23 (run_test, ../include/wine/test.h:785,9)
01e4:01e8:err:asan:asan_report 	00007FFFFE08123F (main, ../include/wine/test.h:903,1)
01e4:01e8:err:asan:asan_report 	00007FFFFE08147E (mainCRTStartup, ../dlls/msvcrt/crt_main.c:60,11)
01e4:01e8:err:asan:asan_report 	00006FFFFD075013 (BaseThreadInitThunk, ../dlls/kernel32/thread.c:61,5)
01e4:01e8:err:asan:asan_report 	00006FFFFE3DFDC3 (RtlUserThreadStart)

clearly the device held a reference to the surface so the surface was released after the ddraw.

native doesn't crash on this test case right? so maybe we shouldn't either?