Fix memory overwriting bug by BabyGrid#14880
Fix memory overwriting bug by BabyGrid#14880xomx wants to merge 2 commits intonotepad-plus-plus:masterfrom
Conversation
|
@xomx |
You would need a disassembler to really find out. What @xomx means by "app memory layout" is the stack alignment of the function parameters and local variables. When you add a parameter or declare a new variable, more data gets pushed to the stack, and the existing data has to be aligned differently. In a 32-bit process, each data item is aligned on a boundary of 4 bytes. If the data's byte count in not a perfect multiple of 4, padding is used to push it into the next boundary. A 32-bit pointer is also 4 bytes. Before the hDPI stuff, the pointer to the Baby Grid probably had padding around it, so a negative index would land in the padded zone where no real data was stored, without any fatal consequence. Data in a 64-bit process is 8-byte aligned, which probably results in padding, before and after the hDPI stuff, so the crash was always avoided. |
Not this time, the sizeof(BGHS) > 60kB for sure!
Ok, I will describe what I did to find that later (in short - I used HW memory breakpoints to watch the relevant NULLed CRT mem-address). |
|
@xomx it also uses |
There was a problem hiding this comment.
RefreshGrid is called usually after initialization, but since FindGrid could return -1, it might be worth to do the following:
void RefreshGrid(HWND hWnd)
{
RECT rect;
int SI;
GetClientRect(hWnd,&rect);
InvalidateRect(hWnd,&rect,FALSE);
SI=FindGrid(GetMenu(hWnd));
if(SI != -1 && BGHS[SI].EDITING)
{
DisplayEditString(hWnd, SI, TEXT(""));
}
}
It is covered by my patch too. When I saw that horrible BabyGrid code referencing that But nowadays I am really short of time so I just tried my luck - I added this to the FindGrid func before its Then I just debugged and watched if the FindGrid returning -1 has to be patched at some other places than in my current PR fix. Luckily after the WM_CREATE the FindGrid never returns the -1 (until the ending WM_NCDESTROY, but this is ok too with my simple fix). That |
|
sorry for the delay, here is the final proof:
|
Fix #14855 (comment) , #14871 (comment)
BabyGrid code was overwriting foreign memory on its initialization and deinitialization. At that time (WM_NCCREATE, WM_NCCALCSIZE, WM_CREATE and WM_NCDESTROY) the relevant
FindGridfunc returns -1, which was used as an index pointing to a memory area before the wholeBGHSobject (BGHS[-1]...)!This was a long-standing hidden bug that only started to manifest itself probably when the app memory layout shifted somehow and important objects/data started to be overwritten, resulting in the visible app crashes.