[Bug 51496] On KDE riched20:editor triggers a clipboard infinite loop, crashing explorer.exe

WineHQ Bugzilla wine-bugs at winehq.org
Sat Jul 24 08:11:49 CDT 2021 

https://bugs.winehq.org/show_bug.cgi?id=51496

Bernhard Übelacker <bernhardu at mailbox.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bernhardu at mailbox.org

--- Comment #1 from Bernhard Übelacker <bernhardu at mailbox.org> ---
Created attachment 70343
  --> https://bugs.winehq.org/attachment.cgi?id=70343
Remove in release_clipboard entries where the depending entry got removed.

I tried to collect some more information.

As far as I see in wineservers clipboard objects format list appears an entry
similar to that one with id=13=CF_UNICODETEXT:
  (rr) print *(struct clip_format *)clipboard->formats->next
  $148 = {entry = {}, id = 13, from = 0, seqno = 10, size = 0, data = 0x0}

A little later it looks like another entry appears that is derived from
that one, this with id=1=CF_TEXT:
  (rr) print *(struct clip_format *)clipboard->formats->next->...next->next
  $154 = {entry = {}, id = 1, from = 13, seqno = 16, size = 0, data = 0x0}

Then in a request release_clipboard the first entry gets removed from the list.
  (rr) print *(struct clip_format *)clipboard->formats->next->...->next
  $57 = {entry = {}, id = 13, from = 1, seqno = 18, size = 0, data = 0x0}

And now a call GetClipboardData(CF_UNICODETEXT) by explorer.exe
recreates an entry with id=13=CF_UNICODETEXT, but now with from=1=CF_TEXT:

That way GetClipboardData never returns because the wineserver request
CF_UNICODETEXT returns the depending CF_TEXT and vice versa.


(rr) bt
#0  GetClipboardData at 4 (format=1) at dlls/user32/clipboard.c:1035
#1  0x6ed0f4e6 in GetClipboardData at 4 () at dlls/user32/clipboard.c:581
#2  0x6ed0f4e6 in GetClipboardData at 4 () at dlls/user32/clipboard.c:581
#3  0x6ed0f4e6 in GetClipboardData at 4 () at dlls/user32/clipboard.c:581
#4  0x6ed0f4e6 in GetClipboardData at 4 () at dlls/user32/clipboard.c:581
#5  0x6ed0f4e6 in GetClipboardData at 4 () at dlls/user32/clipboard.c:581
#6  0x7e702b48 in export_selection () at dlls/winex11.drv/clipboard.c:1505
#7  0x7e7041db in X11DRV_SelectionRequest at dlls/winex11.drv/clipboard.c:2120
#8  0x7e708dba in call_event_handler () at dlls/winex11.drv/event.c:405
#9  0x7e708f2b in process_events () at dlls/winex11.drv/event.c:460
#10 0x7e7090c4 in X11DRV_MsgWaitForMultipleObjectsEx event.c:500
#11 0x6edad1f3 in wait_message () at dlls/user32/winproc.c:1164
#12 0x6ed6025b in wait_objects () at dlls/user32/message.c:3007
#13 0x6ed68b46 in GetMessageW at 16 () at dlls/user32/message.c:3815
#14 0x7e704024 in clipboard_thread () at dlls/winex11.drv/clipboard.c:2071
#15 0x7b62e250 in WriteTapemark at 16 ()


Attached draft patch is an attempt to remove also the entry with from=13,
when the entry with id=13 is removed in release_clipboard.

Then I could not observe the crash, but some tests fail,
maybe visible because of the KDE desktop.
It passed here: https://testbot.winehq.org/JobDetails.pl?Key=94491

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list