[PATCH] ieframe: Clear a being invalidated history entry.
Dmitry Timoshkov
dmitry at baikal.ru
Tue Jan 25 12:47:46 CST 2022
Hi Jacek,
Jacek Caban <jacek at codeweavers.com> wrote:
> On 1/24/22 15:04, Dmitry Timoshkov wrote:
> > update_travellog() in order to clear forward history calls free_travellog_entry() to
> > invalidate forward history entries, and when later an entry gets reused entry->stream
> > contains a no longer valid pointer.
>
>
> How does it "get reused"? Note that log buffer is also initially not
> zero-initialized and generally depends on proper bounds checks.
> update_travellog() decrements length when it clears forward history,
> which should prevent us from treating those entries as valid.
Probably "gets reused" is a wrong term. What I observe here is that once
update_travellog() truncates the log, and position in the history is equal
to the length, next call to go_forward() will crash because bounds check
'if (position >= length) return E_FAIL;' doesn't prevent referencing a no
longer valid history entry. Does that explain what is going on?
--
Dmitry.
More information about the wine-devel
mailing list