comctl32: Fix read of uninitialized data in LISTVIEW_HeaderNotification and rename it to LISTVIEW_Notify. (Valgrind)

Alexander Scott-Johns alexander.scott.johns at googlemail.com
Wed Feb 16 20:05:21 CST 2011 

LISTVIEW_HeaderNotification assumes that the lParam parameter from the
WM_NOTIFY message is always a pointer to an NMHEADERW. This is not
always the case, as (for example) HEADER_LButtonUp sends an
NM_RELEASEDCAPTURE notification with a plain NMHDR.

My patch adds code to check that the notification code is between
HDN_FIRST and HDN_LAST before trying to access the parameter as an
NMHEADERW. It also moves the hwndFrom check into
LISTVIEW_HeaderNotification, which is then renamed to LISTVIEW_Notify.

Found with Valgrind.
-------------- next part --------------
From ead26757aaee0253c2146b6e8c6a2a1a588cb03a Mon Sep 17 00:00:00 2001
From: Alexander Scott-Johns <alexander.scott.johns at googlemail.com>
Date: Thu, 17 Feb 2011 01:24:14 +0000
Subject: comctl32: Fix read of uninitialized data in LISTVIEW_HeaderNotification and rename it to LISTVIEW_Notify. (Valgrind)

---
 dlls/comctl32/listview.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/dlls/comctl32/listview.c b/dlls/comctl32/listview.c
index a59406f..dc96200 100644
--- a/dlls/comctl32/listview.c
+++ b/dlls/comctl32/listview.c
@@ -10129,26 +10129,32 @@ static LRESULT LISTVIEW_NCDestroy(LISTVIEW_INFO *infoPtr)
 
 /***
  * DESCRIPTION:
- * Handles notifications from header.
+ * Handles notifications.
  *
  * PARAMETER(S):
  * [I] infoPtr : valid pointer to the listview structure
- * [I] nCtrlId : control identifier
- * [I] lpnmh : notification information
+ * [I] lpnmhdr : notification information
  *
  * RETURN:
  * Zero
  */
-static LRESULT LISTVIEW_HeaderNotification(LISTVIEW_INFO *infoPtr, const NMHEADERW *lpnmh)
+static LRESULT LISTVIEW_Notify(LISTVIEW_INFO *infoPtr, const NMHDR *lpnmhdr)
 {
     HWND hwndSelf = infoPtr->hwndSelf;
+    const NMHEADERW *lpnmh;
     
-    TRACE("(lpnmh=%p)\n", lpnmh);
+    TRACE("(lpnmhdr=%p)\n", lpnmhdr);
 
-    if (!lpnmh || lpnmh->iItem < 0 || lpnmh->iItem >= DPA_GetPtrCount(infoPtr->hdpaColumns)) return 0;
-    
-    switch (lpnmh->hdr.code)
-    {    
+    if (!lpnmhdr || lpnmhdr->hwndFrom != infoPtr->hwndHeader) return 0;
+
+    /* remember: HDN_LAST < HDN_FIRST */
+    if (lpnmhdr->code > HDN_FIRST || lpnmhdr->code < HDN_LAST) return 0;
+    lpnmh = (const NMHEADERW *)lpnmhdr;
+
+    if (lpnmh->iItem < 0 || lpnmh->iItem >= DPA_GetPtrCount(infoPtr->hdpaColumns)) return 0;
+
+    switch (lpnmhdr->code)
+    {
 	case HDN_TRACKW:
 	case HDN_TRACKA:
 	{
@@ -11456,9 +11462,7 @@ LISTVIEW_WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
     return LISTVIEW_NCPaint(infoPtr, (HRGN)wParam);
 
   case WM_NOTIFY:
-    if (lParam && ((LPNMHDR)lParam)->hwndFrom == infoPtr->hwndHeader)
-        return LISTVIEW_HeaderNotification(infoPtr, (LPNMHEADERW)lParam);
-    else return 0;
+    return LISTVIEW_Notify(infoPtr, (LPNMHDR)lParam);
 
   case WM_NOTIFYFORMAT:
     return LISTVIEW_NotifyFormat(infoPtr, (HWND)wParam, (INT)lParam);
-- 
1.7.0.4

More information about the wine-patches mailing list