When button_count is 0, we would allocate 0 bytes for line_widths, but later line_count would be 1 so we would still try to access line_widths[0] which is out-of-bound.
-- v2: comctl32: Make sure line_widths is big enough.
From: Yuxuan Shui yshui@codeweavers.com
When button_count is 0, we would allocate 0 bytes for line_widths, but later line_count would be 1 so we would still try to access line_widths[0] which is out-of-bound. --- dlls/comctl32/taskdialog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/comctl32/taskdialog.c b/dlls/comctl32/taskdialog.c index 2f8f6de5a4e..c6815cff9ac 100644 --- a/dlls/comctl32/taskdialog.c +++ b/dlls/comctl32/taskdialog.c @@ -965,7 +965,7 @@ static void taskdialog_layout(struct taskdialog_info *dialog_info)
/* Common and custom buttons */ button_layout_infos = Alloc(dialog_info->button_count * sizeof(*button_layout_infos)); - line_widths = Alloc(dialog_info->button_count * sizeof(*line_widths)); + line_widths = Alloc(max(dialog_info->button_count, 1) * sizeof(*line_widths));
button_min_width = DIALOG_BUTTON_WIDTH; button_height = DIALOG_BUTTON_HEIGHT;
I think it makes sense, but it would be best if @zhiyi confirmed it.
Hi, I submitted https://gitlab.winehq.org/wine/wine/-/merge_requests/8223, which should also fix the illegal memory access.
On Fri Jun 6 10:41:34 2025 +0000, Zhiyi Zhang wrote:
Hi, I submitted https://gitlab.winehq.org/wine/wine/-/merge_requests/8223, which should also fix the illegal memory access.
cool! i wasn't sure if the 0 buttons behavior is intentional or not, so i fixed it this way. guess it is not!
superseded by !8223
This merge request was closed by Yuxuan Shui.