[PATCH 0/1] MR7042: dwrite/tests: Avoid stack-use-after-scope in test_GetOverhangMetrics. (ASan)
This moves the stack variable to the outer scope, because it gets accessed in the call to `IDWriteTextLayout_Release` a few lines below.
``` ================================================================= ==1792==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffffe1fd0c0 at pc 0x6ffff84f74f6 bp 0x7ffffe1fcad0 sp 0x7ffffe1fcb18 READ of size 8 at 0x7ffffe1fd0c0 thread T0 0704:fixme:file:server_get_file_info Unsupported info class e #0 0x6ffff84f74f5 in IDWriteInlineObject_Release .../wine-build/build-asan-pe/64/obj\include\dwrite.h:2815:18 #1 0x6ffff84f74f5 in free_layout_range .../wine/dlls/dwrite/layout.c:2487:13 #2 0x6ffff84f74f5 in free_layout_ranges_list .../wine/dlls/dwrite/layout.c:2514:9 #3 0x6ffff84f74f5 in dwritetextlayout_Release .../wine/dlls/dwrite/layout.c:2949:9 #4 0x0001400ec179 in IDWriteTextLayout_Release .../wine-build/build-asan-pe/64/obj\include\dwrite.h:4211:12 #5 0x0001400ec179 in test_GetOverhangMetrics .../wine/dlls/dwrite/tests/layout.c:6288:5 #6 0x0001400ec179 in func_layout .../wine/dlls/dwrite/tests/layout.c:7118:5 #7 0x00014013a4bc in run_test .../wine/include/wine/test.h:765:5 #8 0x00014013a4bc in main .../wine/include/wine/test.h:884:12 #9 0x00014013c36f in mainCRTStartup .../wine/dlls/msvcrt/crt_main.c:58:11 #10 0x6ffffbdc4808 in BaseThreadInitThunk /usr/src/packages/BUILD\dlls/kernel32\thread.c:61:5 #11 0x6ffffaeffa1a in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x17000fa1a)
Address 0x7ffffe1fd0c0 is located in stack of thread T0 at offset 1280 in frame #0 0x0001400a823f in func_layout .../wine/dlls/dwrite/tests/layout.c:7069
This frame has 224 object(s): [32, 392) 'metrics.i6891' (line 6965) [464, 472) 'inlineobj.i6892' (line 6966) [496, 520) 'line.i' (line 6967) [560, 568) 'format.i6893' (line 6968) ... [1136, 1144) 'layout.i5988' (line 6239) [1168, 1184) 'overhang_metrics.i' (line 6254) [1200, 1236) 'metrics.i5989' (line 6256) [1280, 1320) 'obj.i' (line 6257) <== Memory access at offset 1280 is inside this variable [1360, 1368) 'format2.i5721' (line 6136) [1392, 1400) 'layout.i5722' (line 6137) [1424, 1432) 'format.i5723' (line 6138) [1456, 1476) 'spacing.i5724' (line 6176) ... [10320, 10328) 'format.i' (line 1269) [10352, 10360) 'layout1.i' (line 1335) [10384, 10392) 'format1.i' (line 1336) [10416, 10424) 'format117.i' (line 1337) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp, SEH and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope .../wine-build/build-asan-pe/64/obj\include\dwrite.h:2815:18 in IDWriteInlineObject_Release Shadow bytes around the buggy address: 0x7ffffe1fce00: f2 f2 f8 f2 f2 f2 f8 f2 f8 f2 f2 f2 f8 f2 f2 f2 0x7ffffe1fce80: f8 f2 f2 f2 f8 f8 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 0x7ffffe1fcf00: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 0x7ffffe1fcf80: f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 0x7ffffe1fd000: f8 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f8 f2 f2 f8 f8 =>0x7ffffe1fd080: f8 f8 f8 f2 f2 f2 f2 f2[f8]f8 f8 f8 f8 f2 f2 f2 0x7ffffe1fd100: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 0x7ffffe1fd180: f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x7ffffe1fd200: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8 0x7ffffe1fd280: f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x7ffffe1fd300: f8 f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1792==ABORTING make: *** [Makefile:162532: dlls/dwrite/tests/x86_64-windows/layout.ok] Fehler 1 ```
From: Bernhard Übelacker bernhardu@mailbox.org
--- dlls/dwrite/tests/layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/dwrite/tests/layout.c b/dlls/dwrite/tests/layout.c index f8ca4f250c4..d8e69a4f17e 100644 --- a/dlls/dwrite/tests/layout.c +++ b/dlls/dwrite/tests/layout.c @@ -6239,6 +6239,7 @@ static void test_GetOverhangMetrics(void) IDWriteTextLayout *layout; HRESULT hr; UINT32 i; + struct test_inline_obj obj;
factory = create_factory();
@@ -6254,7 +6255,6 @@ static void test_GetOverhangMetrics(void) DWRITE_OVERHANG_METRICS overhang_metrics; DWRITE_TEXT_RANGE range = { 0, 1 }; DWRITE_TEXT_METRICS metrics; - struct test_inline_obj obj;
test_inline_obj_init(&obj, &test->metrics, &test->overhang_metrics);
I suggest switching to allocated objects instead, so that we don't have to think about such issues going forward. Feel free to push this patch. [0001-dwrite-tests-Allocate-test-inline-objects-dynamically.txt](/uploads/3ad1231aae43e4fb33e1f029e1d32b79/0001-dwrite-tests-Allocate-test-inline-objects-dynamically.txt)
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)
-
Nikolay Sivov (@nsivov)