Loading...

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Component/s: Win32SS, Wine
Labels:
None

Module:
- comctl32

Description

Running with DPH, when you press the Finish button at the end of 2nd stage, the if (psInfo->result == 0) check in PROPSHEET_Finish causes an access violation because psInfo has been freed.
This happens because the WM_NOTIFY message sent a couple lines earlier sends a WM_DESTROY to the control, thus freeing psInfo, as shown in the below backtrace:

kd> kp

ChildEBP RetAddr

0012ea44 77610f6c comctl32!PROPSHEET_CleanUp(struct HWND__ * hwndDlg = 0x009a0070) [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 2664]

0012edd4 77a8a537 comctl32!PROPSHEET_DialogProc(struct HWND__ * hwnd = 0x009a0070, unsigned int uMsg = 2, unsigned long wParam = 0, long lParam = 0)+0x46c [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 3514]

0012ee90 77a8c3b0 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x77610b00, struct _WND * pWnd = 0x00342398, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 2, unsigned int wParam = 0, long lParam = 0)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012eeb4 77a6aab8 user32!CallWindowProcW(<function> * lpPrevWndFunc = 0x77610b00, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 2, unsigned int wParam = 0, long lParam = 0)+0xa0 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1816]

0012eee0 77a8a537 user32!DefDlgProcW(struct HWND__ * hDlg = 0x009a0070, unsigned int Msg = 2, unsigned int wParam = 0, long lParam = 0)+0x78 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\dialog.c @ 1740]

0012ef9c 77a8e413 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x77a6aa40, struct _WND * pWnd = 0x00342398, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 2, unsigned int wParam = 0, long lParam = 0)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012f028 7c92fd21 user32!User32CallWindowProcFromKernel(void * Arguments = 0x0012f040, unsigned long ArgumentLength = 0x20)+0x1f3 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2932]

0012f084 77a8a537 ntdll!KiUserCallbackDispatcher+0x2e

0012f140 77a8c3b0 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x71149590, struct _WND * pWnd = 0x00346d78, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012f164 77a6aab8 user32!CallWindowProcW(<function> * lpPrevWndFunc = 0x71149590, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0xa0 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1816]

0012f190 77a8a537 user32!DefDlgProcW(struct HWND__ * hDlg = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0x78 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\dialog.c @ 1740]

0012f24c 77a8c3b0 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x77a6aa40, struct _WND * pWnd = 0x00346d78, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012f270 775cdf3a user32!CallWindowProcW(<function> * lpPrevWndFunc = 0x77a6aa40, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0xa0 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1816]

0012f29c 77613168 comctl32!DefSubclassProc(struct HWND__ * hWnd = 0x0007010e, unsigned int uMsg = 0x4e, unsigned long wParam = 0, long lParam = 0x12f498)+0x10a [c:\ros\reactos-clean\reactos\dll\win32\comctl32\commctrl.c @ 1331]

0012f2b8 775cdf9f comctl32!PROPSHEET_WizardSubclassProc(struct HWND__ * hwnd = 0x0007010e, unsigned int uMsg = 0x4e, unsigned long wParam = 0, long lParam = 0x12f498, unsigned long uID = 1, unsigned long dwRef = 0x1233fd0)+0x58 [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 1201]

0012f2e8 775cdd4f comctl32!DefSubclassProc(struct HWND__ * hWnd = 0x0007010e, unsigned int uMsg = 0x4e, unsigned long wParam = 0, long lParam = 0x12f498)+0x16f [c:\ros\reactos-clean\reactos\dll\win32\comctl32\commctrl.c @ 1339]

0012f30c 77a8a537 comctl32!COMCTL32_SubclassProc(struct HWND__ * hWnd = 0x0007010e, unsigned int uMsg = 0x4e, unsigned long wParam = 0, long lParam = 0x12f498)+0x10f [c:\ros\reactos-clean\reactos\dll\win32\comctl32\commctrl.c @ 1280]

0012f3c8 77a8c935 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x775cdc40, struct _WND * pWnd = 0x00346d78, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012f3f0 77a8d43d user32!IntCallMessageProc(struct _WND * Wnd = 0x00346d78, struct HWND__ * hWnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498, int Ansi = 0)+0x1a5 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1742]

0012f470 7761413b user32!SendMessageW(struct HWND__ * Wnd = 0x0007010e, unsigned int Msg = 0x4e, unsigned int wParam = 0, long lParam = 0x12f498)+0x11d [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2351]

0012f4ac 7761665a comctl32!PROPSHEET_Finish(struct HWND__ * hwndDlg = 0x009a0070)+0xdb [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 1679]

0012f4c4 77610fa1 comctl32!PROPSHEET_DoCommand(struct HWND__ * hwnd = 0x009a0070, unsigned short wID = 0x3025)+0x13a [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 3169]

0012f858 77a8a537 comctl32!PROPSHEET_DialogProc(struct HWND__ * hwnd = 0x009a0070, unsigned int uMsg = 0x111, unsigned long wParam = 0x3025, long lParam = 0x9a006a)+0x4a1 [c:\ros\reactos-clean\reactos\dll\win32\comctl32\propsheet.c @ 3522]

0012f914 77a8c3b0 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x77610b00, struct _WND * pWnd = 0x00342398, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012f938 77a6aab8 user32!CallWindowProcW(<function> * lpPrevWndFunc = 0x77610b00, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a)+0xa0 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1816]

0012f964 77a8a537 user32!DefDlgProcW(struct HWND__ * hDlg = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a)+0x78 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\dialog.c @ 1740]

0012fa20 77a8c935 user32!IntCallWindowProcW(int IsAnsiProc = 0, <function> * WndProc = 0x77a6aa40, struct _WND * pWnd = 0x00342398, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a)+0x417 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1502]

0012fa48 77a8d43d user32!IntCallMessageProc(struct _WND * Wnd = 0x00342398, struct HWND__ * hWnd = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a, int Ansi = 0)+0x1a5 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 1742]

0012fac8 77a6c745 user32!SendMessageW(struct HWND__ * Wnd = 0x009a0070, unsigned int Msg = 0x111, unsigned int wParam = 0x3025, long lParam = 0x9a006a)+0x11d [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\message.c @ 2351]

0012fb24 71145eae user32!IsDialogMessageW(struct HWND__ * hDlg = 0x009a0070, struct tagMSG * lpMsg = 0x0012fb3c)+0x375 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\dialog.c @ 2585]

0012fc00 711424e1 syssetup!InstallWizard(void)+0x35e [c:\ros\reactos-clean\reactos\dll\win32\syssetup\wizard.c @ 2413]

0012fe98 00401174 syssetup!InstallReactOS(struct HINSTANCE__ * hInstance = 0x00400000)+0x1f1 [c:\ros\reactos-clean\reactos\dll\win32\syssetup\install.c @ 1038]

0012feb0 004010ab setup!RunNewSetup(struct HINSTANCE__ * hInstance = 0x00400000)+0x94 [c:\ros\reactos-clean\reactos\base\setup\setup\setup.c @ 82]

0012fec4 0040236e setup!wWinMain(struct HINSTANCE__ * hInstance = 0x00400000, struct HINSTANCE__ * hPrevInstance = 0x00000000, unsigned short * lpCmdLine = 0x001b2fec, int nShowCmd = 0xa)+0x6b [c:\ros\reactos-clean\reactos\base\setup\setup\setup.c @ 139]

0012fedc 00401aa8 setup!wmain(int flags = 2, unsigned short ** cmdline = 0x001c2ff8, unsigned short ** inst = 0x0019cfd8)+0x1e [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crt0_w.c @ 26]

0012ffb4 004017a6 setup!__tmainCRTStartup(void)+0x2a8 [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 307]

0012ffc0 77d93929 setup!wWinMainCRTStartup(void)+0x26 [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 168]

0012fff0 00000000 kernel32!BaseProcessStartup(<function> * lpStartAddress = 0x00401780)+0x69 [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\proc.c @ 478]

Not entirely sure if this is a bug in the property sheet code or the Win32 subsystem, but it looks like the former (in which case a fix should go to Wine).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

0.4.15-dev-5927-gbfc6a11_systemWideDPH_exceptionFrom_PROPSHEET_Finish().log
89 kB
2023-04-09 22:59

Issue Links

is duplicated by

CORE-12084 ReactOS Setup crashes in last part of second-stage

Resolved

CORE-17667 DPH enabled build throws at end of 2nd stage in PROPSHEET_Finish()

Resolved

Use after free in PROPSHEET_Finish on end of 2nd stage

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates