My RPC server that creates dynamic array for client, crashes inside Wine's rpc during freeing of marshalling data.
Here is IDL for bug reproducing:
Code: Select all
typedef struct _Person_info {
[string] char *name;
unsigned int age;
} Person_info_t;
interface ITestRpc
{
void GetPersons( [out] unsigned long *persons_size,
[out, size_is(,*persons_size)] Person_info_t **persons);
}
828.464trace:rpc:NdrStubCall2 phase = 5
828.464trace:rpc:stub_do_args param[0]: 0x1200ac -> 0x1200c8 type 08 IsOut IsBasetype IsSimpleRef ServerAllocSize = 8
828.464trace:ole:NdrBaseTypeMarshall pStubMsg 0xa2e294, pMemory 0x1200c8, type 0x08
828.464trace:ole:NdrBaseTypeMarshall value: 0x00000002
828.464trace:rpc:stub_do_args memory addr (after): 0x1200ac -> 0x1200c8
828.465trace:rpc:stub_do_args param[1]: 0x1200b0 -> 0x1200e0 type 11 MustSize MustFree IsOut ServerAllocSize = 8
828.465trace:ole:NdrPointerMarshall (0xa2e294,0x1200e0,0x40c5a8)
....
828.465trace:ole:PointerMarshall calling marshaller for type 0x1b
828.465trace:ole:NdrConformantArrayMarshall (0xa2e294,0x419d88,0x40c5c4)
828.465trace:ole:ComputeConformanceOrVariance toplevel conformance, ofs=4
828.465trace:ole:ComputeConformanceOrVariance dereferenced data type 9 at 0x1200c8, got 2 <=== Array contains 2 elements
828.465trace:ole:ComputeConformanceOrVariance resulting conformance is 2
...
828.465trace:rpc:NdrStubCall2 phase = 6
828.465trace:rpc:stub_do_args param[0]: 0x1200ac -> 0x1200c8 type 08 IsOut IsBasetype IsSimpleRef ServerAllocSize = 8
828.465Call ntdll.RtlFreeHeap(00110000,00000000,001200c8) ret=7ecfbd95
828.465trace:heap:RtlFreeHeap (0x110000,30000062,0x1200c8): returning TRUE
828.465Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecfbd95
828.465trace:rpc:stub_do_args memory addr (after): 0x1200ac -> 0x1200c8
828.465trace:rpc:stub_do_args param[1]: 0x1200b0 -> 0x1200e0 type 11 MustSize MustFree IsOut ServerAllocSize = 8
...
828.465trace:ole:NdrConformantArrayFree (0xa2e294,0x419d88,0x40c5c4)
828.465trace:ole:ComputeConformanceOrVariance toplevel conformance, ofs=4
828.465trace:ole:ComputeConformanceOrVariance dereferenced data type 9 at 0x1200c8, got -17891602 <=== Trash is here!!!
828.465trace:ole:ComputeConformanceOrVariance resulting conformance is -17891602
How I can workaround the problem?
Thanks.