Fix bug in VARDESC, TYPEDESC, and FUNCDESC causing illegal memory access. The types contained an array that might be zero-sized, but JNA tried to read at least one item.

Lauri Wiljami Ahonen · Lauri Wiljami Ahonen · commit 48560fdcd86b · 2025-12-01T17:10:51.000+02:00
diff --git a/contrib/platform/src/com/sun/jna/platform/win32/OaIdl.java b/contrib/platform/src/com/sun/jna/platform/win32/OaIdl.java
@@ -553,6 +553,16 @@ public static class SAFEARRAY extends Structure implements Closeable {
 
         public static class ByReference extends SAFEARRAY implements
                 Structure.ByReference {
+
+            public ByReference() {
+                super();
+            }
+
+            public ByReference(Pointer pointer) {
+                super(pointer);
+                this.read();
+            }
+
         }
 
         public USHORT cDims;
@@ -1316,12 +1326,44 @@ public FUNCDESC() {
         public FUNCDESC(Pointer pointer) {
             super(pointer);
             this.read();
+        }
+
+        @Override
+        public void read() {
+            // Read cParams first to know the correct array size for lprgelemdescParam
+            readField("cParams");
+            int paramCount = this.cParams.shortValue();
+
+            // Read most fields except lprgelemdescParam
+            for (String field : new String[]{"memid", "lprgscode", "funckind", "invkind",
+                    "callconv", "cParamsOpt", "oVft", "cScodes", "elemdescFunc", "wFuncFlags"}) {
+                readField(field);
+            }
 
-            if (this.cParams.shortValue() > 1) {
-                this.lprgelemdescParam.elemDescArg = new ELEMDESC[this.cParams
-                        .shortValue()];
-                this.lprgelemdescParam.read();
+            // Handle lprgelemdescParam specially based on paramCount
+            if (paramCount > 0) {
+                readField("lprgelemdescParam");
+                if (this.lprgelemdescParam != null) {
+                    this.lprgelemdescParam.elemDescArg = new ELEMDESC[paramCount];
+                    this.lprgelemdescParam.read();
+                }
             }
+            // When paramCount=0, don't read lprgelemdescParam to avoid reading garbage
+        }
+
+        @Override
+        public void write() {
+            // Write most fields except lprgelemdescParam
+            for (String field : new String[]{"memid", "lprgscode", "funckind", "invkind",
+                    "callconv", "cParams", "cParamsOpt", "oVft", "cScodes", "elemdescFunc", "wFuncFlags"}) {
+                writeField(field);
+            }
+
+            // Handle lprgelemdescParam specially based on cParams
+            if (this.cParams != null && this.cParams.shortValue() > 0) {
+                writeField("lprgelemdescParam");
+            }
+            // When cParams=0, don't write lprgelemdescParam
         }
     }
 
@@ -1398,14 +1440,10 @@ public static class ByReference extends _VARDESC implements
             public VARIANT.ByReference lpvarValue;
 
             public _VARDESC() {
-                setType("lpvarValue");
-                this.read();
             }
 
             public _VARDESC(Pointer pointer) {
                 super(pointer);
-                setType("lpvarValue");
-                this.read();
             }
 
             /**
@@ -1431,9 +1469,17 @@ public VARDESC() {
 
         public VARDESC(Pointer pointer) {
             super(pointer);
-            this._vardesc.setType("lpvarValue");
             this.read();
         }
+
+        @Override
+        public void read() {
+            readField("varkind");
+            if (_vardesc != null) {
+                _vardesc.setType(varkind.value == VARKIND.VAR_CONST ? "lpvarValue" : "oInst");
+            }
+            super.read();
+        }
     }
 
     @FieldOrder({"tdesc", "_elemdesc"})
@@ -1654,14 +1700,10 @@ public static class _TYPEDESC extends Union {
             public HREFTYPE hreftype;
 
             public _TYPEDESC() {
-                this.setType("hreftype");
-                this.read();
             }
 
             public _TYPEDESC(Pointer pointer) {
                 super(pointer);
-                this.setType("hreftype");
-                this.read();
             }
 
             public TYPEDESC.ByReference getLptdesc() {
@@ -1687,18 +1729,44 @@ public HREFTYPE getHreftype() {
         public VARTYPE vt;
 
         public TYPEDESC() {
-            this.read();
         }
 
         public TYPEDESC(Pointer pointer) {
             super(pointer);
-            this.read();
         }
 
         public TYPEDESC(_TYPEDESC _typedesc, VARTYPE vt) {
             this._typedesc = _typedesc;
             this.vt = vt;
         }
+
+        @Override
+        public void read() {
+            Pointer p = getPointer();
+            if (p == null) {
+                return;
+            }
+
+            // Read vt first to determine the correct union type
+            readField("vt");
+
+            // Set the union type based on vt discriminator
+            switch (vt.intValue()) {
+                case Variant.VT_PTR:
+                case Variant.VT_SAFEARRAY:
+                    _typedesc.setType("lptdesc");
+                    break;
+                case Variant.VT_CARRAY:
+                    _typedesc.setType("lpadesc");
+                    break;
+                case Variant.VT_USERDEFINED:
+                default:
+                    _typedesc.setType("hreftype");
+                    break;
+            }
+
+            super.read();
+        }
     }
 
     @FieldOrder({"dwReserved", "wIDLFlags"})
diff --git a/contrib/platform/test/com/sun/jna/platform/win32/COM/InvalidMemoryAccessBug.java b/contrib/platform/test/com/sun/jna/platform/win32/COM/InvalidMemoryAccessBug.java
@@ -0,0 +1,27 @@
+package com.sun.jna.platform.win32.COM;
+
+import com.sun.jna.platform.win32.OaIdl;
+
+/**
+ * Test for TYPEDESC and FUNCDESC union handling.
+ * This test iterates through functions in a Shell32 type library interface
+ * and verifies that JNA correctly reads the discriminated unions in TYPEDESC
+ * and handles the lprgelemdescParam array correctly when cParams=0.
+ */
+public class InvalidMemoryAccessBug {
+    public static void main(String[] args) {
+        TypeLibUtil libUtil = new TypeLibUtil("{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}", 1, 0); // C:\Windows\SysWOW64\shell32.dll
+        int typeIndex = 21;
+
+        ITypeInfo typeInfo = libUtil.getTypeInfo(typeIndex);
+        TypeInfoUtil util = new TypeInfoUtil(typeInfo);
+        OaIdl.TYPEATTR attr = util.getTypeAttr();
+
+        for (int i = 0; i < attr.cFuncs.intValue(); i++) {
+            OaIdl.FUNCDESC func = util.getFuncDesc(i);
+            TypeInfoUtil.TypeInfoDoc funcDoc = util.getDocumentation(func.memid);
+            System.out.println("Function " + i + ": " + funcDoc.getName() + " (cParams=" + func.cParams.shortValue() + ")");
+            util.ReleaseFuncDesc(func);
+        }
+    }
+}
diff --git a/contrib/platform/test/com/sun/jna/platform/win32/COM/OaIdlRandomErrors.java b/contrib/platform/test/com/sun/jna/platform/win32/COM/OaIdlRandomErrors.java
@@ -0,0 +1,70 @@
+package com.sun.jna.platform.win32.COM;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.sun.jna.platform.win32.OaIdl.FUNCDESC;
+import com.sun.jna.platform.win32.OaIdl.TLIBATTR;
+import com.sun.jna.platform.win32.OaIdl.TYPEATTR;
+import com.sun.jna.platform.win32.OaIdl.VARDESC;
+
+public class OaIdlRandomErrors {
+    static Set<String> includedFilenames = new HashSet<>();
+
+    public static void main(String[] args) {
+        String[] filenames = {"accessibilitycpl.dll", "activeds.tlb", "adprovider.dll", "amcompat.tlb", "apds.dll", "AppIdPolicyEngineApi.dll", "atl.dll", "atl100.dll", "atl110.dll", "AuditPolicyGPInterop.dll", "azroles.dll", "bcdsrv.dll", "capiprovider.dll", "catsrvut.dll", "cdosys.dll", "certcli.dll", "certenc.dll", "CertEnroll.dll", "certmgr.dll", "cic.dll", "clbcatq.dll", "cngprovider.dll", "comrepl.dll", "comsnap.dll", "comsvcs.dll", "connect.dll", "correngine.dll", "cryptext.dll", "DefaultPrinterProvider.dll", "DevicePairing.dll", "DevicePairingProxy.dll", "DfsShlEx.dll", "DiagCpl.dll", "dmocx.dll", "DMRServer.dll", "dnshc.dll", "dot3dlg.dll", "dot3hc.dll", "dpapiprovider.dll", "dskquota.dll", "dtsh.dll", "dxtmsft.dll", "dxtrans.dll", "EditionUpgradeHelper.dll", "EditionUpgradeManagerObj.dll", "EhStorAPI.dll", "EhStorShell.dll", "es.dll", "eventcls.dll", "expsrv.dll", "findnetprinters.dll", "FirewallAPI.dll", "FirewallControlPanel.dll", "fphc.dll", "FXSCOM.dll", "FXSCOMEX.dll", "gpprefcl.dll", "Groupinghc.dll", "HelpPaneProxy.dll", "hnetcfg.dll", "iasads.dll", "iasdatastore.dll", "iashlpr.dll", "iasnap.dll", "iasrad.dll", "iassam.dll", "iassdo.dll", "iassvcs.dll", "icsvc.dll", "ieframe.dll", "iepeers.dll", "igdDiag.dll", "imapi2.dll", "imapi2fs.dll", "inetcomm.dll", "InkEd.dll", "InkObjCore.dll", "ipnathlp.dll", "JavaScriptCollectionAgent.dll", "jscript.dll", "L2SecHC.dll", "LocationApi.dll", "MbaeApi.dll", "mmcndmgr.dll", "msaatext.dll", "msdatsrc.tlb", "msdtcuiu.dll", "msdxm.tlb", "msfeeds.dll", "msftedit.dll", "mshtml.tlb", "mshtmled.dll", "msi.dll", "msjtes40.dll", "MsraLegacy.tlb", "MsRdpWebAccess.dll", "mssitlb.dll", "mssrch.dll", "mstscax.dll", "msvbvm60.dll", "MSVidCtl.dll", "mswmdm.dll", "msxml3.dll", "msxml4.dll", "msxml6.dll", "mycomput.dll", "NaturalLanguage6.dll", "ndfapi.dll", "ndishc.dll", "netcenter.dll", "netcorehc.dll", "netprofm.dll", "NetworkCollectionAgent.dll", "nlahc.dll", "odbcconf.dll", "officecsp.dll", "oleacc.dll", "oleprn.dll", "pla.dll", "PNPXAssoc.dll", "PNPXAssocPrx.dll", "Pnrphc.dll", "PortableDeviceApi.dll", "PortableDeviceClassExtension.dll", "PortableDeviceConnectApi.dll", "PortableDeviceTypes.dll", "PrintConfig.dll", "printui.dll", "prnntfy.dll", "provcore.dll", "psisdecd.dll", "pstorec.dll", "puiapi.dll", "puiobj.dll", "qedit.dll", "quartz.dll", "rasdiag.dll", "rasgcw.dll", "rdpcorets.dll", "rdpencom.dll", "RdpRelayTransport.dll", "rdpsharercom.dll", "rdpviewerax.dll", "RegCtrl.dll", "rendezvousSession.tlb", "riched20.dll", "RoamingSecurity.dll", "RotMgr.dll", "scripto.dll", "scrobj.dll", "scrrun.dll", "sdiageng.dll", "sdohlp.dll", "Sens.dll", "shdocvw.dll", "shell32.dll", "shgina.dll", "signdrv.dll", "simpdata.tlb", "SMBHelperClass.dll", "SmiEngine.dll", "sppcomapi.dll", "sppwmi.dll", "SRH.dll", "srm.dll", "stclient.dll", "stdole2.tlb", "stdole32.tlb", "swprv.dll", "SysFxUI.dll", "TabbtnEx.dll", "tapi3.dll", "taskschd.dll", "termmgr.dll", "TransportDSA.dll", "TSWorkspace.dll", "tvratings.dll", "ucmhc.dll", "UIAnimation.dll", "UIAutomationCore.dll", "uicom.dll", "upnp.dll", "usbmon.dll", "VAN.dll", "vbscript.dll", "WaaSMedicPS.dll", "wavemsp.dll", "WfHC.dll", "wiaaut.dll", "wiascanprofiles.dll", "win32spl.dll", "wincredprovider.dll", "windowslivelogin.dll", "winethc.dll", "winhttpcom.dll", "WinMsoIrmProtector.dll", "WinOpcIrmProtector.dll", "WinSATAPI.dll", "wisp.dll", "wkspbrokerAx.dll", "WLanConn.dll", "wlandlg.dll", "WLanHC.dll", "wlanpref.dll", "wlanui.dll", "wlidcli.dll", "wlidprov.dll", "wmdmlog.dll", "WMNetMgr.dll", "wmp.dll", "wmpdxm.dll", "wmpshell.dll", "WorkFoldersShell.dll", "workfolderssvc.dll", "WPDSp.dll", "wscapi.dll", "wshcon.dll", "wshext.dll", "WsmAuto.dll", "wuapi.dll", "wvc.dll", "WWanAPI.dll", "WWanHC.dll", "xwizards.dll", "xwreg.dll", "xwtpdui.dll", "xwtpw32.dll"};
+        includedFilenames.addAll(Arrays.asList(filenames));
+        processDir(new File("C:\\Windows\\System32"));
+        processDir(new File("C:\\Windows\\SysWOW64"));
+        System.out.println("Finished.");
+    }
+
+    protected static void processDir(File dir) {
+        for (File file : dir.listFiles()) {
+            if (includedFilenames.contains(file.getName())) {
+                processFile(file);
+            }
+        }
+    }
+
+    protected static void processFile(File file) {
+        try {
+            System.out.println(file);
+            TypeLibUtil libUtil = new TypeLibUtil(file.toString());
+
+            // Lib attributes
+            TLIBATTR libAttr = libUtil.getLibAttr();
+            libUtil.ReleaseTLibAttr(libAttr);
+
+            // Types
+            int count = libUtil.getTypeInfoCount();
+            System.out.println("Type count: " + count);
+            for (int i = 0; i < count; i++) {
+                TypeInfoUtil typeUtil = libUtil.getTypeInfoUtil(i);
+
+                // Type attributes
+                TYPEATTR typeAttr = typeUtil.getTypeAttr();
+                typeUtil.ReleaseTypeAttr(typeAttr);
+
+                // Functions
+                for (int j = 0; j < typeAttr.cFuncs.intValue(); j++) {
+                    FUNCDESC funcDesc = typeUtil.getFuncDesc(j);
+                    typeUtil.ReleaseFuncDesc(funcDesc);
+                }
+
+                // Variables
+                for (int j = 0; j < typeAttr.cVars.intValue(); j++) {
+                    VARDESC varDesc = typeUtil.getVarDesc(j);
+                    typeUtil.ReleaseVarDesc(varDesc);
+                }
+            }
+
+            libUtil.getTypelib().Release();
+
+        } catch (Throwable e) {
+            e.printStackTrace(System.out);
+        }
+    }
+}
diff --git a/contrib/platform/test/com/sun/jna/platform/win32/COM/VarDescBug.java b/contrib/platform/test/com/sun/jna/platform/win32/COM/VarDescBug.java
@@ -0,0 +1,23 @@
+package com.sun.jna.platform.win32.COM;
+
+import com.sun.jna.platform.win32.OaIdl;
+
+public class VarDescBug {
+
+    public static void main(String[] args){
+        TypeLibUtil libUtil = new TypeLibUtil("C:\\Windows\\System32\\stdole2.tlb");
+        int count = libUtil.getTypeInfoCount();
+        for (int i = 0; i < count; i++) {
+            TypeInfoUtil infoUtil = new TypeInfoUtil(libUtil.getTypeInfo(i));
+            OaIdl.TYPEATTR attr = infoUtil.getTypeAttr();
+            for (int j = 0; j < attr.cVars.intValue(); j++) {
+                try {
+                    infoUtil.getVarDesc(j);
+                } catch (Exception e) {
+                    System.out.println("ERROR:" + e);
+                }
+            }
+        }
+    }
+
+}
