[Bug 38924] Crash on copy/paste running Tapps2

WineHQ Bugzilla wine-bugs at winehq.org
Tue Oct 22 00:43:21 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=38924

Damjan Jovanovic <damjan.jov at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|-unknown                    |ntdll

--- Comment #10 from Damjan Jovanovic <damjan.jov at gmail.com> ---
The chain of events looks something like this:

1.0 DnDShapeDropTarget::OnData()                [application]
  2.0 wxDropTarget::GetData()
    3.0 wxIDataObject::GetData()
      4.0 wxIDataObject::GetDataHere()
        5.0 DnDShapeDataObject::GetDataHere()   [application]
          6.0 DnDShape::GetDataHere()           [application]
    3.1 wxIDataObject::SetData()
      7.0 pBuf = GetSizeFromBuffer(pBuf, size, format)
        8.0 wxDataObject::GetSizeFromBuffer(pbuf, size, format)
          9.0 ::HeapSize(::GetProcessHeap(), 0, pBuf);
      7.1 DnDShapeDataObject::SetData(pBuf)     [application]


In step 9.0 wxWidgets tries to determine the size of a memory area using
HeapSize(). HeapSize() fails with GetLastError()=87 (ERROR_INVALID_PARAMETER).
Step 8.0 wxDataObject::GetSizeFromBuffer() thus returns NULL, setting pBuf to
NULL. The application's DnDShapeDataObject::SetData() in 7.1 thus receives a
NULL pointer. The application tries to access the NULL pointer -> crash.

Why does HeapSize() fail? It's called on pBuf. What does pBuf point to?
const void *pBuf = GlobalLock(pmedium->hGlobal);
So pBuf actually points to global memory, not GetProcessHeap() heap memory.

Using HeapSize() on memory returned from GlobalLock() apparently works on
Windows, but fails on Wine and causes the crash.

If I patch wxWidgets to call GlobalSize() instead of HeapSize(), the drag and
drop no longer crashes. However wxWidgets dates back to 1992, we can't patch 27
years worth of wxWidgets applications out in the field, especially those that
have linked to wxWidgets statically. Wine should support calling HeapSize() on
pointers returned from GlobalLock(), like Windows does.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list