WineHQ Bugzilla – Bug 28423 – ImmGetDescriptionW() from imm32 crashes with certain parameters

Bugzilla

Last modified: 2014-12-31 13:38:56 UTC

ImmGetDescriptionW() from imm32 crashes with certain parameters

Bug 28423 - ImmGetDescriptionW() from imm32 crashes with certain parameters


Summary:	ImmGetDescriptionW() from imm32 crashes with certain parameters

Status:	CLOSED FIXED

AppDB:	Show Apps affected by this bug
Product:	Wine
Classification:	Unclassified
Component:	imm32
Version:	1.3.28
Hardware:	x86 Linux

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Mr. Bugs

URL:
Keywords:	download, testcase

Depends on:
Blocks:
	Show dependency tree

Reported:	2011-09-17 20:04 UTC by Rubén Ibarra
Modified:	2014-12-31 13:38 UTC (History)
CC List:	6 users (show)

See Also:
Regression SHA1:
Fixed by SHA1:	8b933495fb4b9a874b9f1f3560847739520ba384
Distribution:	---
Staged patchset:

Attachments
The test program I did. (465.20 KB, application/x-msdos-program) 2011-09-17 20:04 UTC, Rubén Ibarra	Details
Avoid null pointer copy (493 bytes, patch) 2011-09-18 18:22 UTC, Bruno Jesus	Details \| Diff
Patch to fix the issue in wine 1.5.6 (3.37 KB, patch) 2012-06-16 22:49 UTC, Bruno Jesus	Details \| Diff
Show Obsolete (1) View All Add an attachment (back traces, logs, proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rubén Ibarra 2011-09-17 20:04:28 UTC

Created attachment 36436 [details]
The test program I did.

When a program calls ImmGetDescriptionW(NULL,NULL,direction), it crashes instead of returning a direction and the size of it in characters, here is a test program in the attachments and its source code.

This bug can be solved by adding this or something to allcate memory to imm32, try it on both windows.

Also, it only occurs in a pointer, not on a finite empty array.

Comment 1 Rubén Ibarra 2011-09-17 20:13:41 UTC

Also this is the source code:
#include <windows.h>
#include <stdio.h>
#include <cstdlib>
#include <iostream>
#include <fstream>
#include <wchar.h>
using namespace std;

int main()
{
    unsigned int prueba;
    fstream resultado;
    WCHAR* testptr;
    resultado.open("result.txt",ios::out);
    prueba = ImmGetDescriptionW(NULL,testptr,255);
    resultado << "Address: " << testptr << endl;
    resultado << "Character length: " << prueba << endl;
    resultado.close();
}

Comment 2 Nikolay Sivov 2011-09-18 00:53:33 UTC

(In reply to comment #1)
> 
> int main()
> {
>     unsigned int prueba;
>     fstream resultado;
>     WCHAR* testptr;
>     resultado.open("result.txt",ios::out);
>     prueba = ImmGetDescriptionW(NULL,testptr,255);
>     resultado << "Address: " << testptr << endl;
>     resultado << "Character length: " << prueba << endl;
>     resultado.close();
> }

testptr is uninitialized so results are unreliable. Please add a test like ImmGetDescriptionW/A(NULL, NULL, 1) to imm32/tests.

Comment 3 Nikolay Sivov 2011-09-18 00:53:59 UTC

What Wine version by the way?

Comment 4 Rubén Ibarra 2011-09-18 08:27:28 UTC

(In reply to comment #3)
> What Wine version by the way?

Forgot to tell it is 1.3.28, added to the description.

Comment 5 Rubén Ibarra 2011-09-18 08:28:52 UTC

if(!hKL && !lpszDescription) 
{
	lpszDescription = (WCHAR*)HeapAlloc(HeapCreate( 0, 0, 255 ),HEAP_ZERO_MEMORY,255);
}
Those are the lines that fixed it for me, but I don't know to make a patch and I know more implementation is needed for the function to be correct.

Comment 6 Bruno Jesus 2011-09-18 18:22:34 UTC

Created attachment 36456 [details]
Avoid null pointer copy

What application depends on this? Is it available for download?

Please, test the attached patch. It makes your test not crash.

Comment 7 Rubén Ibarra 2011-09-19 07:14:05 UTC

(In reply to comment #6)
> Created an attachment (id=36456) [details]
> Avoid null pointer copy
> 
> What application depends on this? Is it available for download?
> 
> Please, test the attached patch. It makes your test not crash.

(In reply to comment #6)
> Created an attachment (id=36456) [details]
> Avoid null pointer copy
> 
> What application depends on this? Is it available for download?
> 
> Please, test the attached patch. It makes your test not crash.

It is ok, however, it would be better if it returns an address, on windows it returns an address, and about the application is not exactly an application, just an attempt to implement that function completely since Phantasy Star Online calls that function.

Comment 8 Bruno Jesus 2011-09-19 12:10:53 UTC

Can you provide the source code for the original .exe you posted? Your example code does not work for me, even fixing the ptr. Return value is always zero. Tested in Visual C++ 6.

Does the game work with the patch I attached previously?

lpszDescription may be null and in such cases it's not filled. If uBufLen is zero the returned value is the required size for lpszDescription.

The caller must pass a valid pointer to the function, ImmGetDescription should not allocate memory as far as I can see and even if it did there is no way to return it to the user judging by it's parameters.

Comment 9 JHaleIT 2012-02-28 11:12:02 UTC

This issue has been fixed.

Comment 10 Austin English 2012-02-28 12:24:24 UTC

(In reply to comment #9)
> This issue has been fixed.

The test program from comment #0 fails here in wine-1.4-rc5-45-g74ddf01.

Bruno's patch works around it.

Comment 11 JHaleIT 2012-02-28 13:16:50 UTC

Oh sorry I posted in the wrong bug hahaha

Comment 12 Bruno Jesus 2012-02-29 21:20:23 UTC

Windows 7 and XP must crash if a valid IMM description is to be returned and lpszDescription is NULL. The main problem here is that wine is not filtering the NULL (read as "not valid") hkl parameter. If the hkl is invalid ImmGetDescription should return zero and in some cases set error to invalid handle.

Comment 13 Jerome Leclanche 2012-03-03 13:56:02 UTC

(In reply to comment #12)
Tests committed.

Comment 14 Bruno Jesus 2012-06-16 22:49:08 UTC

Created attachment 40573 [details]
Patch to fix the issue in wine 1.5.6

The attached patch will fix the problem but as I could not test it fully in windows I'm not submitting it yet. None of the machines in testbot returns valid IMEs to test (tests are skipped).

Comment 15 Aric Stewart 2013-09-17 13:12:34 UTC

(In reply to comment #14)
> Created attachment 40573 [details]
> Patch to fix the issue in wine 1.5.6
> 
> The attached patch will fix the problem but as I could not test it fully in
> windows I'm not submitting it yet. None of the machines in testbot returns
> valid IMEs to test (tests are skipped).

Ok I am testing on Japanese windows XP.

ret = ImmGetDescriptionW(hkl, NULL, 100);  -> Causes and exception
ret = ImmGetDescriptionA(hkl, NULL, 100); -> Causes an exception

 
As for Vista and Windows 7, ImmGetDescription is broken there. It just does not function.

http://blogs.msdn.com/b/michkap/archive/2008/12/04/9173920.aspx

I can try installing a custom old style IME and see but the above windows XP behavior seems to imply to me that crashing in the case of HKL, NULL, 100 is correct.


Back to windows XP;

    ret = ImmGetDescriptionW(NULL, NULL, 100);
    ok(!ret, "ImmGetDescriptionW failed, expected 0 received %d.\n", ret);

That works without issue.


that that implys that your 
+  if (!hKL) return 0;

is correct, but that
+  if (!lpszDescription) return 0;

is incorrect.

If there is any other testing I can do please ask.

Comment 16 Bruno Jesus 2013-09-17 13:18:15 UTC

(In reply to comment #15)
> If there is any other testing I can do please ask.

Thank you very much for testing, I gave that patch to Qian Hong since I can't test and he is currently working in Imm stuff. I hope he will find your results useful.

Comment 17 Bruno Jesus 2013-09-18 19:48:52 UTC

Fixed by 8b933495fb4b9a874b9f1f3560847739520ba384, thanks Aric.

Comment 18 Alexandre Julliard 2013-09-27 13:40:50 UTC

Closing bugs fixed in 1.7.3.

Comment 19 Alexandre Julliard 2013-11-15 13:39:33 UTC

Removing 1.6.x milestone from bugs included in 1.6.1.