[Bug 20553] Invalid read in LISTVIEW_NCDestroy in chromium unit_tests.exe in TableViewTest.Sort?

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Nov 13 21:37:17 CST 2009


http://bugs.winehq.org/show_bug.cgi?id=20553





--- Comment #6 from Nikolay Sivov <bunglehead at gmail.com>  2009-11-13 21:37:17 ---
So it looks like a problem here:

---
  if (!(infoPtr->dwStyle & LVS_SHAREIMAGELISTS))
  {
      ImageList_Destroy(infoPtr->himlNormal);
      ImageList_Destroy(infoPtr->himlSmall); <-
      ImageList_Destroy(infoPtr->himlState);
  }
---

Looking at chromium I see the following:

---
void TableView::OnDestroy() {
  if (table_type_ == ICON_AND_TEXT) {
    HIMAGELIST image_list =
        ListView_GetImageList(GetNativeControlHWND(), LVSIL_SMALL);
    DCHECK(image_list);
    if (image_list)
      ImageList_Destroy(image_list);
  }
}
---

Such thing could certainly crash on Wine - you attach an imagelist to ListView
without LVS_SHAREIMAGELISTS (at least I don't see it in cc file). After that
you free imagelist and ListView tries to free it again on WM_NCDESTROY.

Thing you should to test:
- what ImageList_Destroy() does for obviously invalid pointer passed, maybe we
just should protect it with some exception handler to check if a whole
structure size is valid starting HIMAGELIST pointer.

Actually I think it's a chromium bug (or not clean use) too. MSDN says:
---
LVM_SETIMAGELIST
---
The current image list will be destroyed when the list-view control is
destroyed unless the LVS_SHAREIMAGELISTS style is set. If you use this message
to replace one image list with another, your application must explicitly
destroy all image lists other than the current one.
---

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list