Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-11905

Access violation in clipbrd_wndproc due to NULL clipbrd pointer

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Win32SS, Wine
    • Labels:
      None

      Description

      This happens during ole32:clipboard as well as riched20:editor. Used to be a "Exception when calling unicode WndProc" print which now turned into a proper crash.

      When destroying the clipboard window, we call UserClipboardRelease in win32k, which sends a WM_RENDERALLFORMATS message to the window. Because ole_inits has already been decremented to 0, get_ole_clipbrd returns a NULL pointer, which clipbrd_wndproc does not handle right.

      It is unclear whether the way we are sending this message is wrong or whether Wine's code needs to expect a null pointer (or decrement ole_inits later).

      Access violation - code c0000005 (first chance)
      First chance exceptions are reported before any exception handling.
      This exception may be expected and handled.
      ole32!clipbrd_wndproc+0xf1:
      001b:7c0691e1 8b510c          mov     edx,dword ptr [ecx+0Ch]
      kd> kp
      ChildEBP RetAddr
      0012fc28 7c54e517 ole32!clipbrd_wndproc(struct HWND__ * hwnd = 0x001300fc, unsigned int message = 0x306, unsigned long wparam = 0, long lparam = 0)+0xf1 [c:\ros\reactos-clean\reactos\dll\win32\ole32\clipboard.c @ 2024]
      0012fce4 7c5524be user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x7c0690f0, struct _WND * pWnd = 0x00357160, struct HWND__ * hWnd = 0x001300fc, unsigned int Msg = 0x306, unsigned int wParam = 0, long lParam = 0)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]
      0012fd70 7c92efd1 user32!User32CallWindowProcFromKernel(void * Arguments = 0x0012fd88, unsigned long ArgumentLength = 0x20)+0x24e [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2939]
      0012fdc0 7c09d81d ntdll!KiUserCallbackDispatcher+0x2e
          nt!KeUserModeCallback [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\usercall.c @ 136]
          win32k!co_IntCallWindowProc+0x1ef [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\callback.c @ 346]
          win32k!co_IntSendMessageTimeoutSingle+0x424 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 1406]
          win32k!co_IntSendMessageTimeout+0x54 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 1495]
          win32k!co_IntSendMessage+0x44 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\message.c @ 1286]
          win32k!UserClipboardRelease+0x2d [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\clipboard.c @ 359]
          win32k!IntSendDestroyMsg+0xec [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\window.c @ 527]
          win32k!co_UserDestroyWindow+0x7b1 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\window.c @ 2873]
          win32k!NtUserDestroyWindow+0xa9 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\window.c @ 2908]
          nt!KiSystemCallTrampoline+0x1b [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 742]
          nt!KiSystemServiceHandler+0x24b [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1738]
          nt!KiFastCallEntry+0x8c
          ntdll!KiFastSystemCallRet
          user32!ZwUserDestroyWindow+0xc
      0012fdcc 00402627 ole32!OleUninitialize(void)+0x11d [c:\ros\reactos-clean\reactos\dll\win32\ole32\ole2.c @ 233]
      0012fe1c 00401c3f ole32_winetest!test_set_clipboard(void)+0x8b7 [c:\ros\reactos-clean\reactos\modules\rostests\winetests\ole32\clipboard.c @ 953]
      0012fe24 004678e6 ole32_winetest!func_clipboard(void)+0xf [c:\ros\reactos-clean\reactos\modules\rostests\winetests\ole32\clipboard.c @ 1614]
      0012fe40 0046776a ole32_winetest!run_test(char * name = 0x00531ff0 "clipboard")+0xa6 [c:\ros\reactos-clean\reactos\sdk\include\reactos\wine\test.h @ 674]
      0012fedc 00468d7a ole32_winetest!main(int argc = 2, char ** argv = 0x0052dff0)+0x18a [c:\ros\reactos-clean\reactos\sdk\include\reactos\wine\test.h @ 730]
      0012ffb4 00468aa8 ole32_winetest!__tmainCRTStartup(void)+0x2aa [c:\ros\reactos-clean\reactos\sdk\lib\crt\startup\crtexe.c @ 311]
      0012ffc0 7c773834 ole32_winetest!mainCRTStartup(void)+0x28 [c:\ros\reactos-clean\reactos\sdk\lib\crt\startup\crtexe.c @ 196]
      0012fff0 00000000 kernel32!BaseProcessStartup(<function> * lpStartAddress = 0x00468a80)+0x54 [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\proc.c @ 478]
      kd> bp win32k!UserClipboardRelease
      kd> ?? clipbrd
      struct ole_clipbrd * 0x00000000
      kd> !teb
      TEB at 7ffdf000
          ExceptionList:        0012fcd4
          StackBase:            00130000
          StackLimit:           0012d000
          SubSystemTib:         00000000
          FiberData:            00001e00
          ArbitraryUserPointer: 00000000
          Self:                 7ffdf000
          EnvironmentPointer:   00000000
          ClientId:             00000120 . 000000dc
          RpcHandle:            00000000
          Tls Storage:          0018afe0
          PEB Address:          7ffd9000
          LastErrorValue:       0
          LastStatusValue:      0
          Count Owned Locks:    0
          HardErrorMode:        0
      kd> ?? ((ole32!oletls*)((nt!_TEB*)0x7ffdf000)->ReservedForOle)
      struct oletls * 0x00543f00
         +0x000 apt              : 0x005c3f78 apartment
         +0x004 errorinfo        : (null)
         +0x008 state            : (null)
         +0x00c apt_mask         : 0
         +0x010 spy              : (null)
         +0x014 inits            : 1
         +0x018 ole_inits        : 0
         +0x01c causality_id     : _GUID {00000000-0000-0000-0000-000000000000}
         +0x02c pending_call_count_client : 0
         +0x030 pending_call_count_server : 0
         +0x034 unknown          : 0
         +0x038 context_token    : (null)
         +0x03c call_state       : (null)
         +0x040 unknown2         : [46] 0
         +0x0f8 cancel_object    : (null)

        Attachments

          Activity

            People

            • Assignee:
              bug zilla Bug Zilla
              Reporter:
              ThFabba Thomas Faber
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: