genius257 / DllStructEx

Extended DllStruct for AutoIt3
MIT License
2 stars 1 forks source link

Crash when using IDispatch ptr ref within union #17

Closed genius257 closed 2 years ago

genius257 commented 2 years ago
#include "DllStructEx.au3"

$o = DllStructExCreate("INT x;")
$o2 = DllStructExCreate("union{PTR text;IDispatch *object;} data;")
$o.x = 123
$o2.data.object = $o
$o = Null
ConsoleWrite($o2.data.object.x&@CRLF)

Will crash when assigning IDispatch object to the property. Expected cause is when we try to increment reference counter on the interface.

mlipok commented 2 years ago

Do you think this is related to internal AutoIt processing ? Which AutoIt version you have tried so far ?

genius257 commented 2 years ago

No I'm sure it is my code. Unions have not been tested deeply yet, so bugs are expected. Tested with: AutoIt3.3.14.5 and AutoIt3.3.16 DllStructEx will try and increment the provided IDispatch counter when setting the value. This is what i expect goes wrong, where i calculate some wrong pointer in the case of the union and end up calling in random memory

genius257 commented 2 years ago

Crashes on line: https://github.com/genius257/DllStructEx/blob/27d750da205d8b46c524f3b98a6c1f9284ded9f9/DllStructEx.au3#L392

As i expected it is indeed caused by calling memory not intended to. https://github.com/genius257/DllStructEx/blob/27d750da205d8b46c524f3b98a6c1f9284ded9f9/DllStructEx.au3#L296-L300 when a union ptr gets to here it defaults to the else, and the internal dllstruct used contains two elements instead of one, resulting in an unexpected offset +4bytes. Then when the code checks if a previous IDispatch exists on the property it sees non null ptr and tries to call the Release method on what it thinks is a IDispatch object. Also on the if statement there is a FIXME indicating more types need to be tested as well.