[Mono-bugs] [Bug 417256] New: [Win32] PrintingServicesWin32 accesses free'd memory ( GetPrintDialogInfo)

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Thu Aug 14 05:12:15 EDT 2008 

https://bugzilla.novell.com/show_bug.cgi?id=417256


           Summary: [Win32] PrintingServicesWin32 accesses free'd memory
                    (GetPrintDialogInfo)
           Product: Mono: Class Libraries
           Version: 1.9
          Platform: Other
        OS/Version: Windows
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Sys.Drawing.
        AssignedTo: mono-bugs at lists.ximian.com
        ReportedBy: andyhume32 at yahoo.co.uk
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---


Code does
   Win32GetPrinter (hPrn, 2, IntPtr.Zero, 0, ref needed);
   ptr = Marshal.AllocHGlobal (needed);
   Win32GetPrinter (hPrn, 2, ptr, needed, ref needed);
   printer_info = (PRINTER_INFO) Marshal.PtrToStructure (ptr, typeof
(PRINTER_INFO));
   Marshal.FreeHGlobal (ptr);

   port = Marshal.PtrToStringUni (printer_info.pPortName);
   comment  = Marshal.PtrToStringUni (printer_info.pComment);
   ...

The strings are stored in the memory block and therefore aren't accessible
after the free.  The FreeHGlobal call needs to be moved to the end.



Running under a debugger or with strict heap checking makes the fault apparent.
 With Windows full page-heap enabled, the program below terminates as follows.

[[
Stacktrace:

  at (wrapper managed-to-native)
System.Runtime.InteropServices.Marshal.PtrToStringUni (intptr) <0x00004>
  at (wrapper managed-to-native)
System.Runtime.InteropServices.Marshal.PtrToStringUni (intptr) <0xffffffff>
  at System.Drawing.Printing.PrintingServicesWin32.GetPrintDialogInfo
(string,string&,string&,string&,string&) [0x00068] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\System.Drawing\System.Drawing.Printing\PrintingServicesWin32.cs:377
  at System.Drawing.Printing.SysPrn.GetPrintDialogInfo
(string,string&,string&,string&,string&) [0x00000] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\System.Drawing\System.Drawing.Printing\PrintingServices.cs:113
  at (wrapper runtime-invoke)
System.Drawing.Printing.SysPrn.runtime_invoke_void_string_string&_string&_string&_string&
(object,intptr,intptr,intptr) <0xffffffff>
  at (wrapper managed-to-native) System.Reflection.MonoMethod.InternalInvoke
(object,object[]) <0x00004>
  at (wrapper managed-to-native) System.Reflection.MonoMethod.InternalInvoke
(object,object[]) <0xffffffff>
  at System.Reflection.MonoMethod.Invoke
(object,System.Reflection.BindingFlags,System.Reflection.Binder,object[],System.Globalization.CultureInfo)
[0x00055] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\corlib\System.Reflection\MonoMethod.cs:149
  at System.Reflection.MethodBase.Invoke (object,object[]) [0x00000] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\corlib\System.Reflection\MethodBase.cs:90
  at System.Windows.Forms.PrintDialog.SetPrinterDetails () [0x0006e] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\PrintDialog.cs:626
  at System.Windows.Forms.PrintDialog.OnPrinterSelectedIndexChanged
(object,System.EventArgs) [0x00000] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\PrintDialog.cs:605
  at System.Windows.Forms.ComboBox.OnSelectedIndexChanged (System.EventArgs)
[0x00023] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\ComboBox.cs:1142
  at System.Windows.Forms.ComboBox.set_SelectedIndex (int) [0x000a7] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\ComboBox.cs:649
  at System.Windows.Forms.ComboBox.set_SelectedItem (object) [0x0002c] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\ComboBox.cs:663
  at (wrapper remoting-invoke-with-check)
System.Windows.Forms.ComboBox.set_SelectedItem (object) <0xffffffff>
  at System.Windows.Forms.PrintDialog.CreateFormControls () [0x008e7] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\PrintDialog.cs:575
  at System.Windows.Forms.PrintDialog..ctor () [0x00034] in
C:\cygwin\tmp\monobuild\build\BUILD\mono-1.9\mcs\class\Managed.Windows.Forms\System.Windows.Forms\PrintDialog.cs:90
  at (wrapper remoting-invoke-with-check)
System.Windows.Forms.PrintDialog..ctor () <0xffffffff>
  at PrintDialog1.Main () <0x0001b>
  at (wrapper runtime-invoke) PrintDialog1.runtime_invoke_void
(object,intptr,intptr,intptr) <0xffffffff>

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
]]

[[
using System;
using System.Windows.Forms;


class PrintDialog1 {
    [STAThread]
    static void Main()
    {
        PrintDialog dlg = new PrintDialog();
    }
}
]]


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list