Somewhere between 0.9.23 and 0.9.24, a commit introduced a bug in oleaut32
which results in a nasty crash when parsing some MSFT typelibs. Notably,
regsvr32 msvbvm60.dll" will crash on this bug, although I experienced it
with DBGRID32.OCX too. I have traced the point of the crash to
typelib.c:1814
if ( pFuncRec->FKCCIC & 0x2000 )
{
(*pptfd)->Entry =
SysAllocString((WCHAR*)pFuncRec->OptAttr[2]);
}
Apparently, 0x2000 as a flag in FKCCIC indicates that pFuncRec->OptAttr[2]
is a pointer to some string. If what little understanding I have of
typelib loading is correct, these typelibs are read from DLL resources on
disk. Therefore, I fail to grasp how they can possibly refer to valid
memory locations. I have this attached patch that temporarily plugs the
crash, but I don't think the code is right in the first place. Or am I
missing some crucial fact about typelib parsing?
>From compare with version 1.266:
if ( pFuncRec->FKCCIC & 0x2000 )
{
(*pptfd)->Entry = (WCHAR*) pFuncRec->OptAttr[2] ;
}
I would dare to say that it has always been wrong, only now is crashing
because the code now attempts to strdup() it with SysAllocString.
Alex VillacĂs Lassodiff -ur wine-0.9.24-cvs/dlls/oleaut32/typelib.c wine-0.9.24-cvs-patch/dlls/oleaut32/typelib.c
--- wine-0.9.24-cvs/dlls/oleaut32/typelib.c 2006-10-27 10:10:29.000000000 -0500
+++ wine-0.9.24-cvs-patch/dlls/oleaut32/typelib.c 2006-10-28 19:20:23.000000000 -0500
@@ -1811,7 +1811,11 @@
if ( nrattributes > 2 )
{
- if ( pFuncRec->FKCCIC & 0x2000 )
+ if ( pFuncRec->FKCCIC & 0x2000 && pFuncRec->OptAttr[2] <= 0x1000)
+ {
+ ERR("Invalid string ptr %p\n", (WCHAR *)pFuncRec->OptAttr[2]);
+ }
+ if ( pFuncRec->FKCCIC & 0x2000 && pFuncRec->OptAttr[2] > 0x1000)
{
(*pptfd)->Entry = SysAllocString((WCHAR*)pFuncRec->OptAttr[2]);
}
