[PATCH v2 2/2] mshtml: Avoid passing invalid memory to DispCallFunc().
Jacek Caban
jacek at codeweavers.com
Mon May 20 07:24:28 CDT 2019
Hi Zebediah,
This crashes for me in script.c tests. Here is a log (with additional
FIXMEs, if I run it with +mshtml, it crashes in HTMLWindow_open instead):
0009:fixme:mshtml:invoke_builtin_function retv 0x90d2d8
{VT_BOOL|VT_BYREF 0x90d2d0}
0009:fixme:mshtml:HTMLElement_removeAttribute (0xc93038)->(L"myattr"
90d2d0 0x7e25db64)
wine: Unhandled page fault on write access to 0x7e25db64 at address
0x7cc23e59 (thread 0009), starting debugger...
Unhandled exception: page fault on write access to 0x7e25db64 in 32-bit
code (0x7cc23e59).
0056:err:dbghelp:pe_load_msc_debug_info -Debug info stripped, but no
.DBG file in module L"xul"
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:7cc23e59 ESP:0090d090 EBP:0090d0f8 EFLAGS:00210202( R- -- I - - - )
EAX:7e25db64 EBX:0090d190 ECX:0090d080 EDX:00000001
ESI:00c932f4 EDI:0090d19c
Stack dump:
0x0090d090: f7d5e680 00000000 7e25db64 00c93038
0x0090d0a0: 00c93038 00c8f55c 00000008 0090d0c0
0x0090d0b0: 00c6cbe0 00000000 00c93280 00c93038
0x0090d0c0: 00c93280 00c93038 00000000 43c2c400
0x0090d0d0: 00000000 4d430001 00000000 43c2c400
0x0090d0e0: 0090d100 0090d190 0090d178 43c2c400
Backtrace:
=>0 0x7cc23e59 remove_attribute+0xc9()
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1398] in mshtml (0x0090d0f8)
1 0x7cc4ccfc HTMLElement_removeAttribute+0x1e2(iface=0xc93084,
strAttributeName="myattr", pfSuccess=0x7e25db64)
[/home/jacek/wine/wine-git/dlls/mshtml/htmlelem.c:960] in mshtml
(0x0090d178)
2 0x7e245722 call_method+0x21() in oleaut32 (0x0090d1a8)
3 0x7e25df98 DispCallFunc+0x4b7(pvInstance=<couldn't compute
location>, oVft=<couldn't compute location>, cc=<couldn't compute
location>, vtReturn=<couldn't compute location>, cActuals=<couldn't
compute location>, prgvt=<couldn't compute location>, prgpvarg=<couldn't
compute location>, pvargResult=<couldn't compute location>)
[/home/jacek/wine/wine-git/dlls/oleaut32/typelib.c:6769] in oleaut32
(0x0090d218)
4 0x7cc23628 invoke_builtin_function+0x7af()
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1218] in mshtml (0x0090d468)
5 0x7cc238f7 function_invoke+0x1f5()
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1269] in mshtml (0x0090d4f8)
6 0x7cc23bc8 invoke_builtin_prop+0x105()
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1343] in mshtml (0x0090d578)
7 0x7cc24b66 DispatchEx_InvokeEx+0x4c9(wFlags=0x3)
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1667] in mshtml (0x0090d608)
8 0x7ba8d4d2 disp_call+0x291(flags=<is not available>, argc=<is not
available>)
[/home/jacek/wine/wine-git/dlls/jscript/../../include/dispex.h:319] in
jscript (0x0090d6f8)
9 0x7ba915dc exprval_call+0x7b() in jscript (0x0090d738)
10 0x7ba94d49 interp_call_member+0xb8()
[/home/jacek/wine/wine-git/dlls/jscript/engine.c:1210] in jscript
(0x0090d778)
11 0x7ba98c22 exec_source+0x571(this_obj=<is not available>)
[/home/jacek/wine/wine-git/dlls/jscript/engine.c:2810] in jscript
(0x0090d808)
12 0x7ba9d61d invoke_source+0x8c(ctx=0xc6cbe0, function=0xc8f248,
this_obj=0xc6bfe4)
[/home/jacek/wine/wine-git/dlls/jscript/function.c:259] in jscript
(0x0090d878)
13 0x7ba9e799 Function_invoke+0x78(flags=<is not available>)
[/home/jacek/wine/wine-git/dlls/jscript/function.c:352] in jscript
(0x0090d8d8)
14 0x7ba8cbde invoke_prop_func+0x28d(This=0xc8f248, jsthis=<is not
available>, prop=<is not available>, flags=0x1)
[/home/jacek/wine/wine-git/dlls/jscript/dispex.c:401] in jscript
(0x0090d938)
15 0x7ba8d06d DispatchEx_InvokeEx+0x3ac(iface=<couldn't compute
location>, id=<couldn't compute location>, lcid=<couldn't compute
location>, wFlags=<couldn't compute location>, pdp=<couldn't compute
location>, pvarRes=<couldn't compute location>, pei=<couldn't compute
location>, pspCaller=<couldn't compute location>)
[/home/jacek/wine/wine-git/dlls/jscript/dispex.c:737] in jscript
(0x0090d9e8)
16 0x7cc63e43 call_disp_func+0xa2(disp=<is not available>,
dp=0x90dae0, retv=0x90dab0)
[/home/jacek/wine/wine-git/dlls/mshtml/../../include/dispex.h:319] in
mshtml (0x0090da68)
17 0x7cc6a6cd call_event_handlers+0x1cec(event_target=0xc6bfe4,
event=0xc92a38, dispatch_mode=DISPATCH_BOTH)
[/home/jacek/wine/wine-git/dlls/mshtml/htmlevent.c:2487] in mshtml
(0x0090dce8)
18 0x7cc6afa7 dispatch_event_object+0x1f6(event_target=0xc6bfe4,
event=<is not available>, dispatch_mode=DISPATCH_BOTH)
[/home/jacek/wine/wine-git/dlls/mshtml/htmlevent.c:2739] in mshtml
(0x0090dd68)
19 0x7cc6b698 dispatch_event+0x17()
[/home/jacek/wine/wine-git/dlls/mshtml/htmlevent.c:2788] in mshtml
(0x0090dd88)
20 0x7cceb1da handle_load+0x109(iface=<couldn't compute location>,
event=<couldn't compute location>)
[/home/jacek/wine/wine-git/dlls/mshtml/nsevents.c:282] in mshtml
(0x0090ddd8)
21 0x6b18a8a9 EntryPoint+0x13494a8() in xul (0x07144904)
22 0x03af69c8 (0x00c723a9)
23 0x6400c723 (0x907cd655)
0x7cc23e59 remove_attribute+0xc9
[/home/jacek/wine/wine-git/dlls/mshtml/dispex.c:1398] in mshtml: movw
$0xffff,0x0(%eax)
1398 *success = VARIANT_TRUE;
On 5/19/19 9:40 PM, Zebediah Figura wrote:
> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47222
> Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
> ---
> dlls/mshtml/dispex.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/dlls/mshtml/dispex.c b/dlls/mshtml/dispex.c
> index 2033e90872..88a5e5168e 100644
> --- a/dlls/mshtml/dispex.c
> +++ b/dlls/mshtml/dispex.c
> @@ -1129,6 +1129,7 @@ static HRESULT builtin_propput(DispatchEx *This, func_info_t *func, DISPPARAMS *
> static HRESULT invoke_builtin_function(DispatchEx *This, func_info_t *func, DISPPARAMS *dp, VARIANT *res, IServiceProvider *caller)
> {
> VARIANT arg_buf[MAX_ARGS], *arg_ptrs[MAX_ARGS], *arg, retv, ret_ref, vhres;
> + VARTYPE arg_types[MAX_ARGS];
We could probably populate arg_types with return value pointer in
add_func_info().
Thanks,
Jacek
More information about the wine-devel
mailing list