linuxdcpp-team team mailing list archive

Thread
Date

[Bug 2019492] Re: Tab control crash Win10+

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: eMTee <2019492@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Jun 2023 08:36:49 -0000
Reply-to: Bug 2019492 <2019492@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

The crash happens with x64 builds only and it needs the executable
linked with high entropy ASLR <https://learn.microsoft.com/en-
us/cpp/build/reference/highentropyva-support-64-bit-aslr?view=msvc-170>
enabled. Also it currently crashes only under an operating system that
supports this feature such as Win8+.

The cause is that 8 byte-long x64 TabInfo pointers sent through using a
<https://learn.microsoft.com/en-us/windows/win32/api/commctrl/ns-
commctrl-tcitema> strucure as an item data parameter are getting
truncated to 4 bytes when they come out as
<https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-
drawitemstruct>.itemData or when accessed by TabCtrl_GetItem.

Both TCITEM's and the tab controls's documentation
<https://learn.microsoft.com/en-us/windows/win32/controls/tab-
controls?redirectedfrom=MSDN#owner-drawn-tabs> mention this. You cannot
pass through data with size other than 4 using this method, even though
the size of the containter for this data (TCITEM.lParam) is 8 bytes long
in x64.

If no high entropy ALSR applied at execution, as the current officially
used linker mandates, then the virtual address space allocated for the
binary remains under 4GiB hence the pointer truncation has no effect and
no crashes happen. But with various linking configurations, operating
systems, memory size, etc... this can change at anytime.

A <https://learn.microsoft.com/en-us/windows/win32/api/commctrl/ns-
commctrl-tcitemheadera> must be used instead with quirks to work around
some undocumented behavior.

A fix, that is under testing right now, will be committed soon.

** Changed in: dcplusplus
       Status: New => Confirmed

** Changed in: dcplusplus
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is a bug assignee.
https://bugs.launchpad.net/bugs/2019492

Title:
  Tab control crash Win10+

Status in DC++:
  Confirmed

Bug description:
  When running DC++ compiled under MSVC (Currently using VS2022) and
  running on Win10+ DC++ will crash when using OwnerDrawn tabs and
  selecting button style which will cause DC++ to immediately crash in
  TabView->handlePainting (You can force this crash on every startup by
  going into DCPlusPlus.xml and setting the following <TabStyle
  type="int">6</TabStyle>.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/2019492/+subscriptions

References

[Bug 2019492] [NEW] Tab control crash Win10+
From: iceman50, 2023-05-14