[PATCH][widl] Fix uninitialized read in write_union_tfs
Raphael Isemann
teemperor at gmail.com
Sat Apr 2 08:57:45 CDT 2022
The summary of how the bug happens is:
1. union_memsize gets called with a pointer to uninitialized `dummy`.
```
static unsigned int write_union_tfs(FILE *file, const attr_list_t *attrs,
type_t *type, unsigned int *tfsoff)
{
[...]
unsigned int dummy;
[...]
size = union_memsize(fields, &dummy);
```
2. `union_memsize` reads `pmaxa` (which points to dummy) to set the
initial value of align.
```
static unsigned int union_memsize(const var_list_t *fields, unsigned
int *pmaxa) {
unsigned int size, maxs = 0;
unsigned int align = *pmaxa;
const var_t *v;
if (fields) LIST_FOR_EACH_ENTRY( v, fields, const var_t, entry )
{
/* we could have an empty default field with NULL type */
if (v->declspec.type)
{
size = type_memsize_and_alignment(v->declspec.type, &align);
if (maxs < size) maxs = size;
if (*pmaxa < align) *pmaxa = align;
}
}
```
`type_memsize_and_alignment` then descends down and passes along the
uninitialized `align`. `type_memsize_and_alignment` will use this to find
the required alignment for the type (and will round up the computed type size
to the uninitialized alignment if necessary).
This patch just initializes `dummy` to 0 (which means the 'real'
alignment value) should set the value to a real alignment.
---
tools/widl/typegen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/widl/typegen.c b/tools/widl/typegen.c
index b2d9ab5..eb0fa5e 100644
--- a/tools/widl/typegen.c
+++ b/tools/widl/typegen.c
@@ -3327,7 +3327,7 @@ static unsigned int write_union_tfs(FILE *file,
const attr_list_t *attrs,
unsigned int nbranch = 0;
type_t *deftype = NULL;
short nodeftype = 0xffff;
- unsigned int dummy;
+ unsigned int dummy = 0;
var_t *f;
if (processed(type) &&
--
2.35.1
More information about the wine-devel
mailing list