Fix Annoying SafeArrayCreateVector Bug
Robert Shearman
R.J.Shearman at warwick.ac.uk
Sun May 18 21:10:27 CDT 2003
This bug manifested itself as heap corruption in IE when you selected a
folder from the "Favorites" menu. It had eluded me for weeks, even after
narrowing down which module it was in. Then Valgrind spotted it when I was
running random programs off my harddrive through it (IE won't run under
Valgrind).
ChangeLog:
- Use correct type of pointer in SafeArrayCreateVector to avoid memory
corruption
- Add traces
-------------- next part --------------
Index: wine/dlls/oleaut32/safearray.c
===================================================================
RCS file: /home/wine/wine/dlls/oleaut32/safearray.c,v
retrieving revision 1.23
diff -u -r1.23 safearray.c
--- wine/dlls/oleaut32/safearray.c 23 Jan 2003 21:32:36 -0000 1.23
+++ wine/dlls/oleaut32/safearray.c 19 May 2003 00:11:22 -0000
@@ -262,6 +262,8 @@
HRESULT hRes;
USHORT cDim;
+ TRACE("(%d, %d, %p)\n", vt, cDims, rgsabound);
+
/* Validate supported VARTYPE */
if ( (vt >= LAST_VARTYPE) ||
( VARTYPE_SIZE[vt] == VARTYPE_NOT_SUPPORTED ) )
@@ -861,6 +863,8 @@
SAFEARRAY *psa;
LPVOID *ptr;
+ TRACE("%d, %ld, %ld\n", vt, lLbound, cElements);
+
/* Validate supported VARTYPE */
if ( (vt >= LAST_VARTYPE) ||
( VARTYPE_SIZE[vt] == VARTYPE_NOT_SUPPORTED ) )
@@ -872,7 +876,7 @@
(sizeof(GUID)+sizeof(*psa)+(VARTYPE_SIZE[vt]*cElements)));
if (!ptr)
return NULL;
- psa = (SAFEARRAY*)(ptr+sizeof(GUID));
+ psa = (SAFEARRAY*)((BYTE*)ptr+sizeof(GUID));
/* setup data members... */
psa->cDims = 1; /* always and forever */
More information about the wine-patches
mailing list