Re: [Oorexx-devel] Fixed (Re: Crash in orexxole.dll

Wed, 11 May 2022 07:20:43 -0700

Forgot to document the revision number of the committed fix: <http://sourceforge.net/p/oorexx/code-0/12388>. 

---rony

On 11.05.2022 16:18, Rony G. Flatscher wrote:

On 11.05.2022 16:03, Rick McGuire wrote:
This looks like a buffer overflow has been detected. Looking at the code in GetKnownEvents, this could happen if the IF condition on line 5187 evaluates to false, The fix should be to move the two lines starting at line 5187 inside the curly braces for that condition. 

Thank you, that fixed it (moving the lines starting at 5197 inside the curly 
braces).

---rony



On Wed, May 11, 2022 at 9:39 AM Rony G. Flatscher <rony.flatsc...@wu.ac.at> 
wrote:

    Running a simple ooRexx script:

        -- Start Word with empty document
        Word = .OLEObject~New("Word.Application")
        Word~Visible = .TRUE                    -- make Word visible
        Document = Word~Documents~Add          -- add document
        say .line "Document:" document", before 'call createOleInfo document, 
...'"
            -- the following call causes a crash in oleinfo
        /*call createOleInfo document, "word~documents~add"*//**/
        say .line "before document~textEndoding ..."
        textEncoding=document~textEncoding
        say "Document~textEncoding:" textEncoding
        Selection = word~selection

        Selection~Style = "Normal"              -- Create selection with style: 
normal
        Selection~TypeText("I am Normal Text. Document's textEncoding:" 
textEncoding)     -- give selection a text
        Selection~TypeParagraph

        say "Done."

    Threads:

        /*Not Flagged > 1688 0 Main Thread Main Thread 
orexxole.dll!__report_securityfailure Normal*/
        Not Flagged             23848   0       Worker Thread   
ntdll.dll!TppWorkerThread       ntdll.dll!_NtWaitForWorkViaWorkerFactory@20     
Normal
        Not Flagged             16364   0       Worker Thread   
ntdll.dll!TppWorkerThread       ntdll.dll!_NtWaitForWorkViaWorkerFactory@20     
Normal
        Not Flagged             9940    0       Worker Thread   
ntdll.dll!TppWorkerThread       ntdll.dll!_NtWaitForWorkViaWorkerFactory@20     
Normal
        Not Flagged             23076   0       Worker Thread   
combase.dll!CRpcThreadCache::RpcWorkerThreadEntry       
combase.dll!WaitCoalesced       Normal
        Not Flagged             12240   0       Worker Thread   
ntdll.dll!TppWorkerThread       ntdll.dll!_NtWaitForWorkViaWorkerFactory@20     
Normal
        Not Flagged             20944   0       Worker Thread   
ntdll.dll!TppWorkerThread       ntdll.dll!_NtWaitForWorkViaWorkerFactory@20     
Normal
        Not Flagged             23568   0       Worker Thread   ANSI32.dll 
thread       ANSI32.dll!59e2223f     Normal

    Call Stack

        >    *orexxole.dll!__report_securityfailure(unsigned long 
failure_code=8) Line 446 C****orexxole.dll!__report_rangecheckfailure(...) Line 
539 C****orexxole.dll!OLEObject_GetKnownEvents_impl(RexxMethodContext_ * 
context=0x0067cb00,
        _RexxObjectPtr * self=0x027d9dd8) Line 5197 
C++****orexxole.dll!OLEObject_GetKnownEvents(RexxMethodContext_ * 
context=0x0067cb00,
        _ValueDescriptor * arguments=0x0067cb18) Line 5123 C++*
                rexx.dll!NativeActivation::run(MethodClass * _method=0x00c42380, 
NativeMethod * _code=0x00c42670, RexxObject * _receiver=0x027d9dd8, RexxString * 
_msgname=0x02822750, RexxObject * * _arglist=0x02dd3a60, unsigned int _argcount=0, 
ProtectedObject & resultObj={...}) Line 1306   C++
                rexx.dll!NativeMethod::run(Activity * activity=0x027d0318, 
MethodClass * method=0x00c42380, RexxObject * receiver=0x027d9dd8, RexxString * 
messageName=0x02822750, RexxObject * * argPtr=0x02dd3a60, unsigned int count=0, 
ProtectedObject & result={...}) Line 329 C++
                rexx.dll!MethodClass::run(Activity * activity=0x027d0318, 
RexxObject * receiver=0x027d9dd8, RexxString * msgname=0x02822750, RexxObject * * 
argPtr=0x02dd3a60, unsigned int count=0, ProtectedObject & result={...}) Line 
171       C++
                rexx.dll!RexxObject::messageSend(RexxString * msgname=0x02822750, 
RexxObject * * arguments=0x02dd3a60, unsigned int count=0, ProtectedObject & 
result={...}) Line 902       C++
                rexx.dll!ExpressionStack::send(RexxString * message=0x02822750, 
unsigned int count=0, ProtectedObject & result={...}) Line 80       C++
                rexx.dll!RexxExpressionMessage::evaluate(RexxActivation * 
context=0x02865de8, ExpressionStack * stack=0x02865ec0) Line 191      C++
                rexx.dll!RexxInstructionAssignment::execute(RexxActivation * 
context=0x02865de8, ExpressionStack * stack=0x02865ec0) Line 129   C++
                rexx.dll!RexxActivation::run(RexxObject * _receiver=0x02865dd0, 
RexxString * name=0x00b70388, RexxObject * * _arglist=0x02dd3988, unsigned int 
_argcount=2, RexxInstruction * start=0x00000000, ProtectedObject & 
resultObj={...}) Line 591 C++
                rexx.dll!RexxCode::run(Activity * activity=0x027d0318, MethodClass 
* method=0x02824230, RexxObject * receiver=0x02865dd0, RexxString * 
msgname=0x00b70388, RexxObject * * argPtr=0x02dd3988, unsigned int argcount=2, 
ProtectedObject & result={...}) Line 211      C++
                rexx.dll!MethodClass::run(Activity * activity=0x027d0318, 
RexxObject * receiver=0x02865dd0, RexxString * msgname=0x00b70388, RexxObject * * 
argPtr=0x02dd3988, unsigned int count=2, ProtectedObject & result={...}) Line 
171       C++
                rexx.dll!RexxObject::messageSend(RexxString * msgname=0x00b70388, 
RexxObject * * arguments=0x02dd3988, unsigned int count=2, ProtectedObject & 
result={...}) Line 902       C++
                rexx.dll!RexxObject::sendMessage(RexxString * message=0x00b70388, 
RexxObject * * args=0x02dd3988, unsigned int argCount=2, ProtectedObject & 
result={...}) Line 510 C++
                rexx.dll!RexxClass::completeNewObject(RexxObject * 
obj=0x02865dd0, RexxObject * * initArgs=0x02dd3988, unsigned int argCount=2) 
Line 1900       C++
                rexx.dll!RexxObject::newRexx(RexxObject * * 
arguments=0x02dd3988, unsigned int argCount=2) Line 2672    C++
                rexx.dll!CPPCode::run(Activity * activity=0x027d0318, MethodClass * 
method=0x00b6fe58, RexxObject * receiver=0x0282dcb0, RexxString * 
messageName=0x027e8e70, RexxObject * * argPtr=0x02dd3988, unsigned int count=2, 
ProtectedObject & result={...}) Line 147      C++
                rexx.dll!MethodClass::run(Activity * activity=0x027d0318, 
RexxObject * receiver=0x0282dcb0, RexxString * msgname=0x027e8e70, RexxObject * * 
argPtr=0x02dd3988, unsigned int count=2, ProtectedObject & result={...}) Line 
171       C++
                rexx.dll!RexxObject::messageSend(RexxString * msgname=0x027e8e70, 
RexxObject * * arguments=0x02dd3988, unsigned int count=2, ProtectedObject & 
result={...}) Line 902       C++
                rexx.dll!ExpressionStack::send(RexxString * message=0x027e8e70, 
unsigned int count=2, ProtectedObject & result={...}) Line 80       C++
                rexx.dll!RexxExpressionMessage::evaluate(RexxActivation * 
context=0x02865690, ExpressionStack * stack=0x02865768) Line 191      C++
                rexx.dll!RexxInstructionAssignment::execute(RexxActivation * 
context=0x02865690, ExpressionStack * stack=0x02865768) Line 129   C++
                rexx.dll!RexxActivation::run(RexxObject * _receiver=0x00000000, 
RexxString * name=0x027e0630, RexxObject * * _arglist=0x02dd38f0, unsigned int 
_argcount=3, RexxInstruction * start=0x00000000, ProtectedObject & 
resultObj={...}) Line 591 C++
                rexx.dll!RexxCode::call(Activity * activity=0x027d0318, 
RoutineClass * routine=0x02815098, RexxString * routineName=0x027e0630, RexxObject 
* * argPtr=0x02dd38f0, unsigned int argcount=3, RexxString * calltype=0x00c75bb8, 
RexxString * environment=0x00000000, ActivationContext context=EXTERNALCALL, 
ProtectedObject & result={...}) Line 188  C++
                rexx.dll!RoutineClass::call(Activity * activity=0x027d0318, 
RexxString * routineName=0x027e0630, RexxObject * * argPtr=0x02dd38f0, unsigned int 
argcount=3, RexxString * calltype=0x00c75bb8, RexxString * environment=0x00000000, 
ActivationContext context=EXTERNALCALL, ProtectedObject & result={...}) Line 
193 C++
                rexx.dll!RexxActivation::externalCall(RoutineClass * & 
routine=0x02815098, RexxString * target=0x027e0630, RexxObject * * 
arguments=0x02dd38f0, unsigned int argcount=3, RexxString * calltype=0x00c75bb8, 
ProtectedObject & resultObj={...}) Line 2935 C++
                rexx.dll!RexxExpressionFunction::evaluate(RexxActivation * 
context=0x027e3c28, ExpressionStack * stack=0x027e3d00) Line 214     C++
                rexx.dll!RexxInstructionAssignment::execute(RexxActivation * 
context=0x027e3c28, ExpressionStack * stack=0x027e3d00) Line 129   C++
                rexx.dll!RexxActivation::run(RexxObject * _receiver=0x00000000, 
RexxString * name=0x027d6558, RexxObject * * _arglist=0x02dd3890, unsigned int 
_argcount=2, RexxInstruction * start=0x00000000, ProtectedObject & 
resultObj={...}) Line 591 C++
                rexx.dll!RexxCode::call(Activity * activity=0x027d0318, 
RoutineClass * routine=0x027e3c08, RexxString * routineName=0x027d6558, RexxObject 
* * argPtr=0x02dd3890, unsigned int argcount=2, RexxString * calltype=0x00c75ff8, 
RexxString * environment=0x00c75be8, ActivationContext context=EXTERNALCALL, 
ProtectedObject & result={...}) Line 188  C++
                rexx.dll!RoutineClass::call(Activity * activity=0x027d0318, 
RexxString * routineName=0x027d6558, RexxObject * * argPtr=0x02dd3890, unsigned int 
argcount=2, RexxString * calltype=0x00c75ff8, RexxString * environment=0x00c75be8, 
ActivationContext context=EXTERNALCALL, ProtectedObject & result={...}) Line 
193 C++
                rexx.dll!RexxActivation::callExternalRexx(RexxString * 
target=0x027d6558, RexxObject * * arguments=0x02dd3890, unsigned int argcount=2, 
RexxString * calltype=0x00c75ff8, ProtectedObject & resultObj={...}) Line 3010  
    C++
                rexx.dll!SystemInterpreter::invokeExternalFunction(RexxActivation * 
activation=0x027d7508, Activity * activity=0x027d0318, RexxString * 
target=0x027d6558, RexxObject * * arguments=0x02dd3890, unsigned int argcount=2, 
RexxString * calltype=0x00c75ff8, ProtectedObject & result={...}) Line 107 C++
                rexx.dll!RexxActivation::externalCall(RoutineClass * & 
routine=0x00000000, RexxString * target=0x027d6558, RexxObject * * 
arguments=0x02dd3890, unsigned int argcount=2, RexxString * calltype=0x00c75ff8, 
ProtectedObject & resultObj={...}) Line 2951 C++
                rexx.dll!RexxInstructionCall::execute(RexxActivation * 
context=0x027d7508, ExpressionStack * stack=0x027d75e0) Line 200 C++
                rexx.dll!RexxActivation::run(RexxObject * _receiver=0x00000000, 
RexxString * name=0x027d33a8, RexxObject * * _arglist=0x027d2fa8, unsigned int 
_argcount=0, RexxInstruction * start=0x00000000, ProtectedObject & 
resultObj={...}) Line 591 C++
                rexx.dll!RexxCode::call(Activity * activity=0x027d0318, 
RoutineClass * routine=0x027d74e8, RexxString * routineName=0x027d33a8, RexxObject 
* * argPtr=0x027d2fa8, unsigned int argcount=0, RexxString * calltype=0x00bacd90, 
RexxString * environment=0x00c75be8, ActivationContext context=PROGRAMCALL, 
ProtectedObject & result={...}) Line 188   C++
                rexx.dll!RoutineClass::runProgram(Activity * activity=0x027d0318, 
RexxObject * * arguments=0x027d2fa8, unsigned int argCount=0, ProtectedObject & 
result={...}) Line 264    C++
                rexx.dll!CallProgramDispatcher::run() Line 242  C++
                rexx.dll!NativeActivation::run(ActivityDispatcher & 
dispatcher={...}) Line 1641     C++
                rexx.dll!Activity::run(ActivityDispatcher & target={...}) Line 
3314 C++
                rexx.dll!CallProgram(RexxThreadContext_ * c=0x027d032c, const 
char * p=0x00a832c9, _RexxArrayObject * a=0x027d2f78) Line 516    C++
                rexx.exe!RexxThreadContext_::CallProgram(const char * 
n=0x00a832c9, _RexxArrayObject * a=0x027d2f78) Line 998   C++
                rexx.exe!main(int argc=2, char * * argv=0x00a832b8) Line 226    
C++
                rexx.exe!invoke_main() Line 64  C++
                rexx.exe!__scrt_common_main_seh() Line 253      C++
                rexx.exe!__scrt_common_main() Line 296  C++
                rexx.exe!mainCRTStartup() Line 17       C++
                kernel32.dll!@BaseThreadInitThunk@12 () Unknown
                ntdll.dll!__RtlUserThreadStart()        Unknown
                ntdll.dll!__RtlUserThreadStart@8 ()     Unknown

    This is with a 32-bit debug version of ooRexx (r12377).

    ---

    Using the external program "createOleInfo.rex" and supplying an OLEObject 
(in this case
    Word's 'document' object) allows one to get an on-the-fly 
html-documentation of that
    particular OLEObject, which works just fine, hence surprised that it 
crashes ooRexx.

    Will keep the MSVS-Debugger open for a while in case further information is 
needed.

    ---rony


_______________________________________________
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel






















					Reply via email to