Bug #77048 for Win32-API: USHORT type causes uninitialized memory crash

Mon May 07 14:55:32 2012 bulk88 [...] hotmail.com - Ticket created

Subject:

USHORT type causes uninitialized memory crash

I have a function with the protoype of "DWORD __stdcall PtrUShortCall (DWORD_PTR ptr, USHORT num)". This crashes Win32::API 0.68 with DEBUGGING Perl 5.12. VS 2003 was used to compile Win32::API 0.68 and the test DLL and the DEBUGGING Perl 5.12. Changing the USHORT to a DWORD in the string prototype given to Win32::API makes everything superficially fine. Changing USHORT to SHORT causes same exact crash. Changing USHORT to short fails, see way way down for output of this test case. If I run testdll.pl on the commandline, the error is "Can't call method "Pack" on an undefined value at testdll.pl line 8.", if I run it in VS debugger, which includes the Win32 debugging heap, I get a crash, because of the BAADF00D poisoning. testdll.dll was generated by running compile.bat. I am 32 bit Win XP. Show quoted text

_________________________________________________ First-chance exception at 0x2815faf4 (perl512.dll) in perl.exe: 0xC0000005: Access violation reading location 0xbaadf015.

_________________________________________________

> perl512.dll!Perl_newSVsv(interpreter * my_perl=0x003940a4, sv * const

old=0xbaadf00d) Line 8099 + 0x3 C API.dll!XS_Win32__API_Call(interpreter * my_perl=0x003940a4, cv * cv=0x009603c4) Line 614 + 0x58 C perl512.dll!Perl_pp_entersub(interpreter * my_perl=0x003940a4) Line 2882 + 0x10 C perl512.dll!Perl_runops_debug(interpreter * my_perl=0x003940a4) Line 2049 + 0xd C perl512.dll!S_run_body(interpreter * my_perl=0x003940a4, long oldscope=1) Line 2308 + 0xd C perl512.dll!perl_run(interpreter * my_perl=0x003940a4) Line 2233 + 0xd C perl512.dll!RunPerl(int argc=2, char * * argv=0x00282510, char * * env=0x002828d8) Line 270 + 0x9 C++ perl.exe!main(int argc=2, char * * argv=0x00282510, char * * env=0x00282d50) Line 23 + 0x12 C perl.exe!mainCRTStartup() Line 398 + 0xe C kernel32.dll!_BaseProcessStart@4() + 0x23

________________________________________________________ Line 614 in api.c is

________________________________________________________ 610 611 ENTER; 612 SAVETMPS; 613 PUSHMARK(SP); 614 XPUSHs(sv_2mortal(newSVsv(origST[i]))); 615 PUTBACK; 616 count = call_method("Pack", G_DISCARD); 617 PUTBACK; 618 619 FREETMPS; 620 LEAVE;

_________________________________________________________ origST array seems to be uninitialized garbage, 8 is "good sized" number I choose to view the array, var nin is 1 BTW

____________________________________________________________ - origST,8 0x008346d4 sv * * + [0] 0xbaadf00d {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [1] 0xbaadf00d {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [2] 0xabababab {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [3] 0xabababab {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [4] 0xfeeefeee {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [5] 0x00000000 {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [6] 0x00000000 {sv_any=??? sv_refcnt=??? sv_flags=??? ...} sv * + [7] 0x00080148 {sv_any=0x000000b0 sv_refcnt=218 sv_flags=1 ...} sv *

______________________________________________________________ The output of testdll.pl on the command line is

_________________________________________________________ C:\Documents and Settings\Owner\Desktop\w32api>perl testdll.pl Win32::API 0.68 Win32::API::new: Loading library 'testdll.dll' (PM)parse_prototype: got PROC '_PtrUShortCall@8' (PM)parse_prototype: got PARAMS 'DWORD_PTR ptr, USHORT num' (PM)parse_prototype: IN='DWORD_PTR' PACKING='L' API_TYPE=1 (PM)parse_prototype: IN='USHORT' PACKING='S' API_TYPE=51 parse_prototype: IN=[ 1 51 ] parse_prototype: OUT='DWORD' PACKING='L' API_TYPE=1 GetProcAddress('_PtrUShortCall@8') = '3801664' Object blessed! Can't call method "Pack" on an undefined value at testdll.pl line 8. Win32::API::DESTROY: Freeing library 'testdll.dll' C:\Documents and Settings\Owner\Desktop\w32api>

____________________________________________________________ The command line output of testdll.pl under VS debugger is

____________________________________________________________ Win32::API 0.68 Win32::API::new: Loading library 'testdll.dll' (PM)parse_prototype: got PROC '_PtrUShortCall@8' (PM)parse_prototype: got PARAMS 'DWORD_PTR ptr, USHORT num' (PM)parse_prototype: IN='DWORD_PTR' PACKING='L' API_TYPE=1 (PM)parse_prototype: IN='USHORT' PACKING='S' API_TYPE=51 parse_prototype: IN=[ 1 51 ] parse_prototype: OUT='DWORD' PACKING='L' API_TYPE=1 GetProcAddress('_PtrUShortCall@8') = '3801664' Object blessed!

____________________________________________________________ Changing USHORT to short fails, CL output is

_____________________________________________________________ C:\Documents and Settings\Owner\Desktop\w32api>perl testdll.pl Win32::API 0.68 Win32::API::new: Loading library 'testdll.dll' (PM)parse_prototype: got PROC '_PtrUShortCall@8' (PM)parse_prototype: got PARAMS 'DWORD_PTR ptr, short num' (PM)parse_prototype: IN='DWORD_PTR' PACKING='L' API_TYPE=1 Win32::API::parse_prototype: WARNING unknown parameter type 'short' at C:/perl51 2/site/lib/Win32/API.pm line 305. parse_prototype: IN=[ 1 3 ] parse_prototype: OUT='DWORD' PACKING='L' API_TYPE=1 GetProcAddress('_PtrUShortCall@8') = '3801664' Object blessed! exiting Win32::API::DESTROY: Freeing library 'testdll.dll' C:\Documents and Settings\Owner\Desktop\w32api>

______________________________________________________________ C:\Documents and Settings\Owner\Desktop\w32api>perl -V Summary of my perl5 (revision 5 version 12 subversion 2) configuration: Platform: osname=MSWin32, osvers=5.1, archname=MSWin32-x86-multi-thread uname='' config_args='undef' hint=recommended, useposix=true, d_sigaction=undef useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cl', ccflags ='-nologo -GF -W3 -Od -MD -Zi -DDEBUGGING -DWIN32 -D_CONSOL E -DNO_STRICT -DHAVE_DES_FCRYPT -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DU SE_PERLIO', optimize='-Od -MD -Zi -DDEBUGGING', cppflags='-DWIN32' ccversion='13.10.3077', gccversion='', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='__int64', lseeksi ze=8 alignbytes=8, prototype=define Linker and Libraries: ld='link', ldflags ='-nologo -nodefaultlib -debug -libpath:"c:\perl512\lib\ CORE" -machine:x86' libpth="c:\Program Files\Microsoft Visual Studio .NET 2003\VC7\lib" libs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32 .lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_ 32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcr t.lib perllibs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comd lg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib m svcrt.lib libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl512.lib gnulibc_version='' Dynamic Linking: dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' ' cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -libpath:"c:\p erl512\lib\CORE" -machine:x86' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS PERL_MALLOC_WRAP PERL_TRACK_MEMPOOL PL_OP_SLAB_ALLOC USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF Built under MSWin32 Compiled at Mar 23 2011 08:10:43 %ENV: PERL_JSON_BACKEND="JSON::XS" PERL_YAML_BACKEND="YAML" @INC: C:/perl512/site/lib C:/perl512/lib . C:\Documents and Settings\Owner\Desktop\w32api>

_____________________________________________________

Subject:

testdll.pl

#!/usr/bin/perl -w #use strict; use Win32::API; $| = 1; $Win32::API::DEBUG = 1; print "Win32::API $Win32::API::VERSION\n"; my $o = Win32::API->new( 'testdll.dll', 'DWORD __stdcall _PtrUShortCall@8 (DWORD_PTR ptr, USHORT num)'); my $ret = $o->Call(1, 2); print "exiting\n";

Subject:

testdll.c

#include <windows.h> BOOL APIENTRY _DllMainCRTStartup (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) { return TRUE; } __declspec( dllexport ) DWORD __stdcall PtrUShortCall (DWORD_PTR ptr, USHORT num){ return 1; }

Subject:

compile.bat

Download compile.bat
application/octet-stream 89b

Message body not shown because it is not plain text.

Mon May 07 20:10:54 2012 bulk88 [...] hotmail.com - Correspondence added

From:

bulk88 [...] hotmail.com

It seems that 'S' stands for structure. There is no short at all in Win32::API. Yet Win32::API::Type is loaded with short family types that all are S or s. S/s is also the letter for pack's short. Someone wasn't thinking years ago when they implemented the structure support. From looking at Win32::API's github records, there never waa short support, yet USHORT and SHORT as S/s where there since day 1 (0.20). Struct should have been given the letter T. Letter T is not used by pack(). So how is this going to be fixed? To fix this will break backwards compatibility if struct letter is moved to T and S becomes short type. This bug has been around since atleast 2004, http://www.perlmonks.org/?node_id=369060 .

Fri Oct 19 00:54:50 2012 BULKDD [...] cpan.org - Taken

Fri Oct 19 00:55:40 2012 BULKDD [...] cpan.org - Correspondence added

Fixed in 0.69. From changes file - Fixed RT #77048, shorts and short typedefs crashed since 'S' was mapped wrong to structs, fix in Win32::API::More, struct now 'T' in ::More, 'S'/'s' now dies on Win32::API if not Win32::APU::Sturct objs, not crashes

Fri Oct 19 00:55:41 2012 The RT System itself - Status changed from 'new' to 'open'

Fri Oct 19 00:55:41 2012 BULKDD [...] cpan.org - Status changed from 'open' to 'resolved'