Added patch to fix NULL pointer dereference in get_frame_by_name.

Note: An almost identical version was also submitted by Indrek Altpere to wine-patches, but Michael Müller submitted his own attempt even earlier to me - see timestamp of the patch.
2024-09-13 09:17:20 -07:00 · 2015-05-29 20:09:02 +02:00 · 2015-05-29 20:09:02 +02:00 · f5c6731e84
commit f5c6731e84
parent cec272a2d4
5 changed files with 52 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -39,7 +39,7 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 -----------------------------------

-**Bug fixes and features included in the next upcoming release [10]:**
+**Bug fixes and features included in the next upcoming release [11]:**

 * Add shell32 placeholder icons to match offsets with Windows ([Wine Bug #30185](https://bugs.winehq.org/show_bug.cgi?id=30185))
 * Add stub for iphlpapi.ConvertInterfaceLuidToGuid ([Wine Bug #38576](https://bugs.winehq.org/show_bug.cgi?id=38576))
@ -47,6 +47,7 @@ Included bug fixes and improvements
 * Allow to enable/disable InsertMode in wineconsole settings ([Wine Bug #36704](https://bugs.winehq.org/show_bug.cgi?id=36704))
 * Also handle '\r' as whitespace in wbemprox queries
 * Assign a drive serial number during prefix creation/update ([Wine Bug #17823](https://bugs.winehq.org/show_bug.cgi?id=17823))
+* Fix NULL pointer dereference in get_frame_by_name ([Wine Bug #34982](https://bugs.winehq.org/show_bug.cgi?id=34982))
 * Fix crash in Gothic 1/2 with builtin directmusic caused by wrong return value ([Wine Bug #7425](https://bugs.winehq.org/show_bug.cgi?id=7425))
 * Return fake device type when systemroot is located on virtual disk ([Wine Bug #36546](https://bugs.winehq.org/show_bug.cgi?id=36546))
 * Support for ws2_32.dll.WSAPoll ([Wine Bug #38601](https://bugs.winehq.org/show_bug.cgi?id=38601))
--- a/debian/changelog
+++ b/debian/changelog
@ -12,6 +12,7 @@ wine-staging (1.7.44) UNRELEASED; urgency=low
    wrong return value.
  * Added patch to return fake device type when systemroot is located on virtual
    disk (improves compatibility when wineprefix is on tmpfs).
+  * Added patch to fix NULL pointer dereference in get_frame_by_name.
  * Removed patch to reset device state in SysKeyboard*Impl_Acquire (accepted
    upstream).
  * Removed patch to avoid creating thread queues for foreign threads in
--- a/patches/mshtml-get_frame_by_name/0001-mshtml-Do-not-crash-on-null-window-in-get_frame_by_n.patch
+++ b/patches/mshtml-get_frame_by_name/0001-mshtml-Do-not-crash-on-null-window-in-get_frame_by_n.patch
@ -0,0 +1,29 @@
+From d426832abe3e622e471dddf472f5b24aa53d6fe8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Fri, 29 May 2015 02:41:09 +0200
+Subject: mshtml: Do not crash on null window in get_frame_by_name.
+
+---
+ dlls/mshtml/htmlwindow.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/dlls/mshtml/htmlwindow.c b/dlls/mshtml/htmlwindow.c
+index 618648e..92ed869 100644
+--- a/dlls/mshtml/htmlwindow.c
+++ b/dlls/mshtml/htmlwindow.c
+@@ -406,6 +406,12 @@ HRESULT get_frame_by_name(HTMLOuterWindow *This, const WCHAR *name, BOOL deep, H
+ 
+         nsIDOMWindow_Release(nswindow);
+ 
+        if (!window_iter)
+        {
+            FIXME("nsIDOMWindow %p is invalid!\n", nswindow);
+            continue;
+        }
+
+         hres = IHTMLElement_get_id(&window_iter->frame_element->element.IHTMLElement_iface, &id);
+         if(FAILED(hres)) {
+             FIXME("IHTMLElement_get_id failed: 0x%08x\n", hres);
+-- 
+2.4.2
+
--- a/patches/mshtml-get_frame_by_name/definition
+++ b/patches/mshtml-get_frame_by_name/definition
@ -0,0 +1 @@
+Fixes: [34982] Fix NULL pointer dereference in get_frame_by_name
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -150,6 +150,7 @@ patch_enable_all ()
 	enable_mmdevapi_AEV_Stubs="$1"
 	enable_mountmgr_DosDevices="$1"
 	enable_mscoree_CorValidateImage="$1"
+	enable_mshtml_get_frame_by_name="$1"
 	enable_msvcp90_basic_string_dtor="$1"
 	enable_msvcrt_Math_Precision="$1"
 	enable_msvcrt_atof_strtod="$1"
@ -513,6 +514,9 @@ patch_enable ()
 		mscoree-CorValidateImage)
 			enable_mscoree_CorValidateImage="$2"
 			;;
+		mshtml-get_frame_by_name)
+			enable_mshtml_get_frame_by_name="$2"
+			;;
 		msvcp90-basic_string_dtor)
 			enable_msvcp90_basic_string_dtor="$2"
 			;;
@ -3756,6 +3760,21 @@ if test "$enable_mscoree_CorValidateImage" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset mshtml-get_frame_by_name
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#34982] Fix NULL pointer dereference in get_frame_by_name
+# |
+# | Modified files:
+# |   *	dlls/mshtml/htmlwindow.c
+# |
+if test "$enable_mshtml_get_frame_by_name" -eq 1; then
+	patch_apply mshtml-get_frame_by_name/0001-mshtml-Do-not-crash-on-null-window-in-get_frame_by_n.patch
+	(
+		echo '+    { "Michael Müller", "mshtml: Do not crash on null window in get_frame_by_name.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset msvcp90-basic_string_dtor
 # |
 # | This patchset fixes the following Wine bugs:
				`@ -0,0 +1 @@`
				`Fixes: [34982] Fix NULL pointer dereference in get_frame_by_name`