[Bug 28732] New: use-after-free in MONTHCAL_UpdateSize

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Oct 15 11:38:32 CDT 2011


http://bugs.winehq.org/show_bug.cgi?id=28732

             Bug #: 28732
           Summary: use-after-free in MONTHCAL_UpdateSize
           Product: Wine
           Version: 1.3.30
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: comctl32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com
    Classification: Unclassified


While running "make monthcal.ok" in comctl32/tests, valgrind complains

Invalid read of size 4
   at MONTHCAL_UpdateSize (monthcal.c:2556)
   by MONTHCAL_WindowProc (monthcal.c:2739)
   by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so)
   by call_window_proc (winproc.c:242)
   by WINPROC_CallProcAtoW (winproc.c:404)
   by WINPROC_call_window (winproc.c:910)
   by call_window_proc (message.c:2211)
   by send_message (message.c:3084)
   by SendMessageA (message.c:3286)
   by WIN_CreateWindowEx (win.c:1448)
   by CreateWindowExA (win.c:1550)
   by create_monthcal_control (monthcal.c:577)
   by func_monthcal (monthcal.c:1524)
 Address 0x7f045618 is 8 bytes inside a block of size 112 free'd
   at RtlReAllocateHeap (heap.c:262)
   by HeapReAlloc (heap.c:277)
   by GlobalReAlloc (heap.c:651)
   by LocalReAlloc (heap.c:1075)
   by ReAlloc (comctl32undoc.c:99)
   by MONTHCAL_UpdateSize (monthcal.c:2541)
   by MONTHCAL_WindowProc (monthcal.c:2739)
   by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so)
   by call_window_proc (winproc.c:242)
   by WINPROC_CallProcAtoW (winproc.c:404)
   by WINPROC_call_window (winproc.c:910)
   by call_window_proc (message.c:2211)
   by send_message (message.c:3084)
   by SendMessageA (message.c:3286)
   by WIN_CreateWindowEx (win.c:1448)
   by CreateWindowExA (win.c:1550)
   by create_monthcal_control (monthcal.c:577)
   by func_monthcal (monthcal.c:1524)

A quick look at the source makes me think that the pointer 'title'
might need to be updated when the realloc is done.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list