Ticket #509 (Open)Sun Apr 25 10:54:17 UTC 2021
WindowManager can abort on data transfer when auto-scrolling
| Reported by: | James Peacock (318) | Severity: | Major |
| Part: | RISC OS: Module | Release: | |
| Milestone: | Status | Open |
Details by James Peacock (318):
If a wimp task uses Wimp_AutoScroll to start scrolling a window then a data abort occurs in the window manager under the following conditions:
- Wimp_AutoScroll is used to start scrolling a window with no wimp icons.
- The auto-scrolling window has scrolled as far as it can given the position of the pointer.
- After the scrolling has reached it limit, but still active the pointer is over an icon in different window.
This was originally noticed in Avalanche and after some investigation, it appears that the WindowManager is using the ID of the icon under the pointer with the data structures for the auto-scrolled window. If there have never been any icons in that window then this results in an invalid pointer dereference.
See https://www.riscosopen.org/forum/forums/11/topi…
This isn’t limited to Avalanche, the following BASIC application can be used to reproduce the problem as follows:
- Open a window containing some icons, e.g. the disc Free Space display.
- Run the test application below
- Position the test application’s window just above the first window opened.
- Move the pointer into the test application’s window and perform a SELECT drag. This should initiate auto-scrolling and the pointer will change accordingly.
- Move the pointer over one of the icons in the first window opened
- Wait for the auto-scroll to reach the limit of the window.
This triggers a data abort at exactly the same location in the WindowManager as in the VNC Client discussion referenced above.
ON ERROR ON ERROR OFF:ERROR ERR, REPORT$ + " at line " + STR$(ERL):ENDSYS "Wimp_Initialise",310,&4B534154,"AutoScroll Test",0DIM blk% 256 b% = blk% + 4 b%!0 = 300 b%!4 = 300 b%!8 = 500 b%!12 = 500 b%!16 = 0 b%!20 = 0 b%!24 = -1 b%!28 = &FF000052 b%!32 = &01070207 b%!36 = &00010301 b%!40 = 0 b%!44 = -300 b%!48 = 300 b%!52 = 0 b%!56 = &90000091 b%!60 = 10<<12 b%!64 = 1 b%!68 = &0000800080 $(b%+72) = "AutoScroll" + CHR$0 b%!84 = 0SYS "Wimp_CreateWindow",,b% TO window%!blk%=window% SYS "Wimp_OpenWindow",,blk%quit%=FALSE REPEAT SYS "Wimp_Poll",&3933,blk% TO event% CASE event% OF WHEN 2: SYS "Wimp_OpenWindow",,blk% WHEN 3: quit%=TRUE WHEN 6: PROCclick(blk%) WHEN 17: IF blk%!16=0 quit%=TRUE ENDCASE UNTIL quit% SYS "Wimp_CloseDown" ENDDEF PROCclick(blk%) IF blk%!8 = 64 THEN blk%!0 = window% blk%!4 = 80 blk%!8 = 80 blk%!12 = 80 blk%!16 = 80 blk%!20 = 0 blk%!24 = 1 blk%!28 = 0 SYS "Wimp_AutoScroll",3,blk% ENDIF ENDPROC
RISC OS 5.28 (16 Dec 2020) on a RPi 2B
Changelog:
Modified by James Peacock (318) Mon, April 26 2021 - 20:30:36 GMT
Built a softload WindowManager module with the following change to Wimp03.s
bc.. @ -1996,12 +1996,13 @
B gotbttype
;
; obtain ‘button type’ of user icon
;
01 CMP R4,#nullptr
- LDREQ R5,[handle,#w_workflags]; look up work area button type
- LDRNE R5,[handle,#w_icons]
+ Abs R5,R3
+ LDREQ R5,[R5,#w_workflags]; look up work area button type
+ LDRNE R5,[R5,#w_icons]
ADDNE R5,R5,#i_flags
LDRNE R5,[R5,R4,ASL #i_shift] ; R5 = flag word
;
; always report the menu button unless in border region
;
As I understand it, this changes the logic to look up the icon in the structure of the window (R3) owning the icon (R4), rather than the window which started the auto-scroll (handle). Looking at the local context of the change, this seems to make sense, however…
I’m less sure about the bigger picture though, in particular that in this case handle should always refer to same window as R3, in which case the problem would be elsewhere.
