From: Dmitry Timoshkov Subject: Re: [PATCH] ieframe: Clear a being invalidated history entry. Message-Id: <20220125214746.ce54665975e664aa68a45dd3@baikal.ru> Date: Tue, 25 Jan 2022 21:47:46 +0300 In-Reply-To: <0dc6e9f0-55c6-cfd0-4326-903b98f5d4ce@codeweavers.com> References: <20220124170445.3e7ba06816d83527e7277d77@baikal.ru> <0dc6e9f0-55c6-cfd0-4326-903b98f5d4ce@codeweavers.com> Hi Jacek, Jacek Caban wrote: > On 1/24/22 15:04, Dmitry Timoshkov wrote: > > update_travellog() in order to clear forward history calls free_travellog_entry() to > > invalidate forward history entries, and when later an entry gets reused entry->stream > > contains a no longer valid pointer. > > > How does it "get reused"? Note that log buffer is also initially not > zero-initialized and generally depends on proper bounds checks. > update_travellog() decrements length when it clears forward history, > which should prevent us from treating those entries as valid. Probably "gets reused" is a wrong term. What I observe here is that once update_travellog() truncates the log, and position in the history is equal to the length, next call to go_forward() will crash because bounds check 'if (position >= length) return E_FAIL;' doesn't prevent referencing a no longer valid history entry. Does that explain what is going on? -- Dmitry.