This is to avoid a crash in UnregisterDeviceNotification when called a second time for the same handle.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=58050
<details> <summary>ASan Details</summary>
``` ================================================================= ==control.exe==536==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f07e3ae0568 at pc 0x6ffffdc6f092 bp 0x7ffffe1fdae0 sp 0x7ffffe1fdb28 READ of size 8 at 0x7f07e3ae0568 thread T0 #0 0x6ffffdc6f091 in list_remove ...\wine\include\wine\list.h:100 #1 0x6ffffdc6efcc in I_ScUnregisterDeviceNotification ...\wine\dlls\sechost\service.c:2193 #2 0x6ffffa5a16e2 in UnregisterDeviceNotification ...\wine\dlls\user32\input.c:594 #3 0x6ffffdbe3a5f in test_di_dialoHWND__ ...\wine\dlls\joy.cpl\dinput.c:809 #4 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #5 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #6 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #7 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #8 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #9 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #10 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #11 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #12 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #13 0x6ffffa5c2ba8 in call_window_proc ...\wine\dlls\user32\winproc.c:111 #14 0x6ffffa5c2d92 in dispatch_win_proc_params ...\wine\dlls\user32\winproc.c #15 0x6ffffa5aee20 in dispatwin_proc_params ...\wine\dlls\user32\message.c:567 #16 0x6ffffa5aeda4 in SendMessageW ...\wine\dlls\user32\message.c:586 #17 0x6ffffde75873 in PROPSHEET_Cancel ...\wine\dlls\comctl32\propsheet.c:1949 #18 0x6ffffde75b80 in PROPSHEET_DoCommand ...\wine\dlls\comctl32\propsheet.c:3359 #19 0x6ffffde7085e in PROPSHEET_DialogProc ...\wine\dlls\comctl32\propsheet.c:3694 #20 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #21 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #22 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #23 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #24 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #25 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #26 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #27 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #28 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #29 0x6ffffa5c2ba8 in call_window_proc ...\wine\dlls\user32\winproc.c:111 #30 0x6ffffa5c2d92 in dispatch_win_proc_params ...\wine\dlls\user32\winproc.c #31 0x6ffffa5aee20 in dispatwin_proc_params ...\wine\dlls\user32\message.c:567 #32 0x6ffffa5aeda4 in SendMessageW ...\wine\dlls\user32\message.c:586 #33 0x6ffffdd9a2fb in BUTTON_WindowProc+0x1c7b (C:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_none_deadbeef\comctl32.dll+0x18000a2fb) #34 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #35 0x6ffffa5c2ba8 in call_window_proc ...\wine\dlls\user32\winproc.c:111 #36 0x6ffffa5c2d92 in dispatch_win_proc_params ...\wine\dlls\user32\winproc.c #37 0x6ffffa5af7db in dispatch_message ...\wine\dlls\user32\message.c:804 #38 0x6ffffa5af881 in DispatchMessageW ...\wine\dlls\user32\message.c:890 #39 0x6ffffa591e90 in IsDialogMessageW ...\wine\dlls\user32\dialog.c:1293 #40 0x6ffffde76a93 in PROPSHEET_IsDialogMessage ...\wine\dlls\comctl32\propsheet.c:2956 #41 0x6ffffde6fd45 in do_loop ...\wine\dlls\comctl32\propsheet.c:2971 #42 0x6ffffde6c938 in PROPSHEET_PropertySheet ...\wine\dlls\comctl32\propsheet.c:3013 #43 0x6ffffde6cddd in PropertySheetW ...\wine\dlls\comctl32\propsheet.c:3124 #44 0x6ffffdbe754c in display_cpl_sheets ...\wine\dlls\joy.cpl\main.c:482 #45 0x6ffffdbe6d2f in CPlApplet ...\wine\dlls\joy.cpl\main.c:570 #46 0x6ffffb98f235 in Control_DoLaunch ...\wine\dlls\shell32\control.c:822 #47 0x6ffffb98e8e4 in Control_RunDLLW ...\wine\dlls\shell32\control.c:847 #48 0x0001400011b6 in launch+0x26 (C:\windows\system32\control.exe+0x1400011b6) #49 0x000140001044 in STANCE__+0x44 (C:\windows\system32\control.exe+0x140001044) #50 0x000140001320 in wmain+0xb0 (C:\windows\system32\control.exe+0x140001320) #51 0x000140001245 in wmainCRTStartup ...\wine\dlls\msvcrt\crt_wmain.c:58 #52 0x6fffffc3565e in BaseThreadInitThunk ...\wine\dlls\kernel32\thread.c:61 #53 0x6fffffdbbb1a (C:\windows\system32\ntdll.dll+0x17004bb1a)
0x7f07e3ae0568 is located 8 bytes inside of 68-byte region [0x7f07e3ae0560,0x7f07e3ae05a4) freed by thread T0 here: #0 0x6ffffe84a381 in free+0x81 (C:\windows\system32\libclang_rt.asan_dynamic-x86_64.dll+0x18004a381) #1 0x6ffffdc6eff8 in I_ScUnregisterDeviceNotification ...\wine\dlls\sechost\service.c:2196 #2 0x6ffffa5a16e2 in UnregisterDeviceNotification ...\wine\dlls\user32\input.c:594 #3 0x6ffffdbe3a5f in test_di_dialoHWND__ ...\wine\dlls\joy.cpl\dinput.c:809 #4 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #5 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #6 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #7 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #8 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #9 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #10 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #11 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #12 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #13 0x6ffffa5c2ba8 in call_window_proc ...\wine\dlls\user32\winproc.c:111 #14 0x6ffffa5c2d92 in dispatch_win_proc_params ...\wine\dlls\user32\winproc.c #15 0x6ffffa5aee20 in dispatwin_proc_params ...\wine\dlls\user32\message.c:567 #16 0x6ffffa5aeda4 in SendMessageW ...\wine\dlls\user32\message.c:586 #17 0x6ffffde75df3 in PROPSHEET_CanSetCurSel ...\wine\dlls\comctl32\propsheet.c:2120 #18 0x6ffffde702ef in PROPSHEET_DialogProc ...\wine\dlls\comctl32\propsheet.c:3722 #19 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #20 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #21 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #22 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #23 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #24 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #25 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #26 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #27 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86
previously allocated by thread T0 here: #0 0x6ffffe84a5b6 in calloc+0x86 (C:\windows\system32\libclang_rt.asan_dynamic-x86_64.dll+0x18004a5b6) #1 0x6ffffdc6e50b in I_ScRegisterDeviceNotification ...\wine\dlls\sechost\service.c:2141 #2 0x6ffffa5a1377 in RegisterDeviceNotificationW ...\wine\dlls\user32\input.c #3 0x6ffffdbe398c in test_di_dialoHWND__ ...\wine\dlls\joy.cpl\dinput.c:795 #4 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #5 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #6 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #7 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #8 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #9 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #10 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #11 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #12 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #13 0x6ffffa5c2ba8 in call_window_proc ...\wine\dlls\user32\winproc.c:111 #14 0x6ffffa5c2d92 in dispatch_win_proc_params ...\wine\dlls\user32\winproc.c #15 0x6ffffa5aee20 in dispatwin_proc_params ...\wine\dlls\user32\message.c:567 #16 0x6ffffa5aeda4 in SendMessageW ...\wine\dlls\user32\message.c:586 #17 0x6ffffde73e49 in PROPSHEET_SetCurSel ...\wine\dlls\comctl32\propsheet.c:2199 #18 0x6ffffde702c3 in PROPSHEET_DialogProc ...\wine\dlls\comctl32\propsheet.c:3717 #19 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86 #20 0x6ffffa5c3b6e in call_dialog_proc ...\wine\dlls\user32\winproc.c:130 #21 0x6ffffa5c3c6e in WINPROC_CallDlgProcW ...\wine\dlls\user32\winproc.c:951 #22 0x6ffffa58f8cc in USER_DefDlgProcW ...\wine\dlls\user32\defdlg.c:375 #23 0x6ffffa58f864 in USER_DefDlgProc ...\wine\dlls\user32\defdlg.c:420 #24 0x6ffffb4a39d5 in UXTHEME_DefDlgProc ...\wine\dlls\uxtheme\dialog.c:192 #25 0x6ffffa58fb8d in DialogWndProcW ...\wine\dlls\user32\defdlg.c:438 #26 0x6fffffdaffdf in NtdllDialogWndProc_W+0xf (C:\windows\system32\ntdll.dll+0x17003ffdf) #27 0x6ffffa5c3f6e in WINPROC_wrapper ...\wine\dlls\user32\winproc.c:86
SUMMARY: AddressSanitizer: heap-use-after-free ...\wine\include\wine\list.h:100 in list_remove Shadow bytes around the buggy address: 0x7f07e3ae0280: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 0x7f07e3ae0300: 06 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x7f07e3ae0380: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x7f07e3ae0400: fa fa 00 00 00 00 00 00 00 00 06 fa fa fa fa fa 0x7f07e3ae0480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00 =>0x7f07e3ae0500: 00 00 00 00 00 00 04 fa fa fa fa fa fd[fd]fd fd 0x7f07e3ae0580: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd 0x7f07e3ae0600: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd 0x7f07e3ae0680: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa 0x7f07e3ae0700: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x7f07e3ae0780: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==control.exe==536==ABORTING ```
</details>
From: Bernhard Übelacker bernhardu@mailbox.org
This is to avoid a crash in UnregisterDeviceNotification when called a second time for the same handle.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=58050 --- dlls/joy.cpl/dinput.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/dlls/joy.cpl/dinput.c b/dlls/joy.cpl/dinput.c index 8eefbbbe3f3..340e8d164ae 100644 --- a/dlls/joy.cpl/dinput.c +++ b/dlls/joy.cpl/dinput.c @@ -807,6 +807,7 @@ INT_PTR CALLBACK test_di_dialog_proc( HWND hwnd, UINT msg, WPARAM wparam, LPARAM case PSN_RESET: case PSN_KILLACTIVE: UnregisterDeviceNotification( devnotify ); + devnotify = NULL; SetEvent( thread_stop ); /* wait for the input thread to stop, processing any WM_USER message from it */ while (MsgWaitForMultipleObjects( 1, &thread, FALSE, INFINITE, QS_ALLINPUT ) == 1)
Rémi Bernon (@rbernon) commented about dlls/joy.cpl/dinput.c:
case PSN_RESET: case PSN_KILLACTIVE: UnregisterDeviceNotification( devnotify );
devnotify = NULL;
```suggestion:-1+0 if (!devnotify) break; UnregisterDeviceNotification( devnotify ); devnotify = NULL; ```
If we're going through this multiple times I think the other statements below will also have problems (closing handles twice, etc).
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)
-
Rémi Bernon (@rbernon)