[Bug 20553] Invalid read in LISTVIEW_NCDestroy in chromium unit_tests.exe in TableViewTest.Sort?
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Nov 13 21:37:17 CST 2009
http://bugs.winehq.org/show_bug.cgi?id=20553
--- Comment #6 from Nikolay Sivov <bunglehead at gmail.com> 2009-11-13 21:37:17 ---
So it looks like a problem here:
---
if (!(infoPtr->dwStyle & LVS_SHAREIMAGELISTS))
{
ImageList_Destroy(infoPtr->himlNormal);
ImageList_Destroy(infoPtr->himlSmall); <-
ImageList_Destroy(infoPtr->himlState);
}
---
Looking at chromium I see the following:
---
void TableView::OnDestroy() {
if (table_type_ == ICON_AND_TEXT) {
HIMAGELIST image_list =
ListView_GetImageList(GetNativeControlHWND(), LVSIL_SMALL);
DCHECK(image_list);
if (image_list)
ImageList_Destroy(image_list);
}
}
---
Such thing could certainly crash on Wine - you attach an imagelist to ListView
without LVS_SHAREIMAGELISTS (at least I don't see it in cc file). After that
you free imagelist and ListView tries to free it again on WM_NCDESTROY.
Thing you should to test:
- what ImageList_Destroy() does for obviously invalid pointer passed, maybe we
just should protect it with some exception handler to check if a whole
structure size is valid starting HIMAGELIST pointer.
Actually I think it's a chromium bug (or not clean use) too. MSDN says:
---
LVM_SETIMAGELIST
---
The current image list will be destroyed when the list-view control is
destroyed unless the LVS_SHAREIMAGELISTS style is set. If you use this message
to replace one image list with another, your application must explicitly
destroy all image lists other than the current one.
---
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list