Hi Raphael, On 4/2/22 13:22, Raphael Isemann wrote:
The attached patch fixes an uninitialized read from memory in `union_memsize`.The summary of how the bug happens is: 1. union_memsize gets called with a pointer to uninitialized `dummy`. ``` static unsigned int write_union_tfs(FILE *file, const attr_list_t *attrs, type_t *type, unsigned int *tfsoff) { [...] unsigned int dummy; [...] size = union_memsize(fields, &dummy); ``` 2. `union_memsize` reads `pmaxa` (which points to dummy) to set the initial value of align. ``` static unsigned int union_memsize(const var_list_t *fields, unsigned int *pmaxa) { unsigned int size, maxs = 0; unsigned int align = *pmaxa; const var_t *v; if (fields) LIST_FOR_EACH_ENTRY( v, fields, const var_t, entry ) { /* we could have an empty default field with NULL type */ if (v->declspec.type) { size = type_memsize_and_alignment(v->declspec.type, &align); if (maxs < size) maxs = size; if (*pmaxa < align) *pmaxa = align; } } ``` The rest of the code in `type_memsize_and_alignment` works with that unitialized alignment value. If the uninitialized memory happens to represent a larger uint than the actual max size of the union, then that value is printed in the result.
Thanks for the patch. We import widl from Wine with as little changes as possible. Please send the patch to Wine:
https://wiki.winehq.org/Submitting_Patches Thanks, Jacek _______________________________________________ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
