Stack corruption detected around TEXTMETRIC structure

Stack corruption detected around TEXTMETRIC structure

Postby OT » Tue Jul 18, 2006 11:58 am

I get the message from VC.2005 runtime about stack corruption in the following code:

Code: Select all
static BOOL Handle_WM_MEASUREITEM (HWND hWnd, LPMEASUREITEMSTRUCT lpMis)
{
  TEXTMETRIC tm;
  HDC hDC = GetDC(hWnd);
  HFONT hOldFont = (HFONT)SelectObject(hDC,hLBFont);
  GetTextMetrics(hDC,&tm);
  lpMis->itemHeight = tm.tmHeight+2;
  SelectObject(hDC,hOldFont);
  ReleaseDC(hWnd,hDC);
  return TRUE;
}

0:000> kL 100
ChildEBP RetAddr 
0012c028 01626814 ntdll!DbgBreakPoint
0012ce78 016269dc Vcps!failwithmessage+0x224
0012d2a0 01625e85 Vcps!_RTC_StackFailure+0x10c
0012d2c0 0162175f Vcps!_RTC_CheckStackVars+0x45
0012d324 01621680 Vcps!Handle_WM_MEASUREITEM+0xaf
0012d338 0162335e Vcps!PSLBProcessCommands+0x40
0012d480 77d48734 Vcps!PSWndProc+0xbfe
0012d4ac 77d48816 user32!InternalCallWinProc+0x28
0012d514 77d4b89b user32!UserCallWinProcCheckWow+0x150
0012d550 77d4b903 user32!SendMessageWorker+0x4a5
0012d570 77d620c0 user32!SendMessageW+0x7f
0012d5ac 77d6600a user32!xxxLBCreate+0x286
0012d630 77d4fd29 user32!ListBoxWndProcWorker+0x23b
0012d660 7c90eae3 user32!__fnINLPCREATESTRUCT+0x8b
0012d6cc 77d5013e ntdll!KiUserCallbackDispatcher+0x13
0012db70 77d501f7 user32!NtUserCreateWindowEx+0xc
0012dc1c 77d4ff83 user32!_CreateWindowEx+0x1ed
0012dc58 016215be user32!CreateWindowExW+0x33
0012dc94 016228df Vcps!CreatePSLB+0x3e
0012ddd8 77d48734 Vcps!PSWndProc+0x17f
0012de04 77d48816 user32!InternalCallWinProc+0x28
0012de6c 77d4b4c0 user32!UserCallWinProcCheckWow+0x150
0012dec0 77d4fd29 user32!DispatchClientMessage+0xa3
0012def0 7c90eae3 user32!__fnINLPCREATESTRUCT+0x8b
0012df5c 77d5013e ntdll!KiUserCallbackDispatcher+0x13
0012e400 77d501f7 user32!NtUserCreateWindowEx+0xc
0012e4ac 77d4ff83 user32!_CreateWindowEx+0x1ed
0012e4e8 01622705 user32!CreateWindowExW+0x33
0012e558 0040fbd0 Vcps!CreatePS+0xf5
0012f1f0 77d48734 opentask!MainWndProc+0xd10
0012f21c 77d48816 user32!InternalCallWinProc+0x28
0012f284 77d4b4c0 user32!UserCallWinProcCheckWow+0x150
0012f2d8 77d4fd29 user32!DispatchClientMessage+0xa3
0012f308 7c90eae3 user32!__fnINLPCREATESTRUCT+0x8b
0012f38c 77d5013e ntdll!KiUserCallbackDispatcher+0x13
0012f830 77d501f7 user32!NtUserCreateWindowEx+0xc
0012f8dc 77d4ff83 user32!_CreateWindowEx+0x1ed
0012f918 0040e369 user32!CreateWindowExW+0x33
0012ff0c 00422176 opentask!WinMain+0x729
0012ffb8 00421eed opentask!__tmainCRTStartup+0x286
0012ffc0 7c816d4f opentask!WinMainCRTStartup+0xd
0012fff0 00000000 kernel32!BaseProcessStart+0x23


I don't understand why we have it here. I don't see any buffer overrun here.
OT
 
Posts: 9
Joined: Tue Jul 18, 2006 11:52 am

Postby OT » Tue Jul 18, 2006 12:04 pm

The disassembler shows the following output:
Code: Select all
0:000> u Vcps!Handle_WM_MEASUREITEM Vcps!Handle_WM_MEASUREITEM+0xaf
Vcps!Handle_WM_MEASUREITEM:
016216b0 55               push    ebp
016216b1 8bec             mov     ebp,esp
016216b3 83ec4c           sub     esp,0x4c
016216b6 56               push    esi
016216b7 57               push    edi
016216b8 8d7db4           lea     edi,[ebp-0x4c]
016216bb b913000000       mov     ecx,0x13
016216c0 b8cccccccc       mov     eax,0xcccccccc
016216c5 f3ab             rep     stosd
016216c7 8bf4             mov     esi,esp
016216c9 8b4508           mov     eax,[ebp+0x8]
016216cc 50               push    eax
016216cd ff15fc816201     call    dword ptr [Vcps!_imp__GetDC (016281fc)]
016216d3 3bf4             cmp     esi,esp
016216d5 e836470000       call    Vcps!_RTC_CheckEsp (01625e10)
016216da 8945b8           mov     [ebp-0x48],eax
016216dd 8bf4             mov     esi,esp
016216df 8b0deca06201     mov     ecx,[Vcps!hLBFont (0162a0ec)]
016216e5 51               push    ecx
016216e6 8b55b8           mov     edx,[ebp-0x48]
016216e9 52               push    edx
016216ea ff1544806201     call dword ptr [Vcps!_imp__SelectObject (01628044)]
016216f0 3bf4             cmp     esi,esp
016216f2 e819470000       call    Vcps!_RTC_CheckEsp (01625e10)
016216f7 8945b4           mov     [ebp-0x4c],eax
016216fa 8bf4             mov     esi,esp
016216fc 8d45c0           lea     eax,[ebp-0x40]
016216ff 50               push    eax
01621700 8b4db8           mov     ecx,[ebp-0x48]
01621703 51               push    ecx
01621704 ff1550806201  call dword ptr [Vcps!_imp__GetTextMetricsW (01628050)]
0162170a 3bf4             cmp     esi,esp
0162170c e8ff460000       call    Vcps!_RTC_CheckEsp (01625e10)
01621711 8b55c0           mov     edx,[ebp-0x40]
01621714 83c202           add     edx,0x2
01621717 8b450c           mov     eax,[ebp+0xc]
0162171a 895010           mov     [eax+0x10],edx
0162171d 8bf4             mov     esi,esp
0162171f 8b4db4           mov     ecx,[ebp-0x4c]
01621722 51               push    ecx
01621723 8b55b8           mov     edx,[ebp-0x48]
01621726 52               push    edx
01621727 ff1544806201     call dword ptr [Vcps!_imp__SelectObject (01628044)]
0162172d 3bf4             cmp     esi,esp
0162172f e8dc460000       call    Vcps!_RTC_CheckEsp (01625e10)
01621734 8bf4             mov     esi,esp
01621736 8b45b8           mov     eax,[ebp-0x48]
01621739 50               push    eax
0162173a 8b4d08           mov     ecx,[ebp+0x8]
0162173d 51               push    ecx
0162173e ff1500826201     call    dword ptr [Vcps!_imp__ReleaseDC (01628200)]
01621744 3bf4             cmp     esi,esp
01621746 e8c5460000       call    Vcps!_RTC_CheckEsp (01625e10)
0162174b b801000000       mov     eax,0x1
01621750 52               push    edx
01621751 8bcd             mov     ecx,ebp
01621753 50               push    eax
01621754 8d1574176201    lea edx,[Vcps!Handle_WM_MEASUREITEM+0xc4 (01621774)]
0162175a e8e1460000       call    Vcps!_RTC_CheckStackVars (01625e40)
OT
 
Posts: 9
Joined: Tue Jul 18, 2006 11:52 am

Postby OT » Tue Jul 18, 2006 12:15 pm

I tried the following change:

Code: Select all
  TEXTMETRIC tm = {0};


And got the following change in code (memset):

Code: Select all
016216b0 55               push    ebp
016216b1 8bec             mov     ebp,esp
016216b3 83ec4c           sub     esp,0x4c
016216b6 56               push    esi
016216b7 57               push    edi
016216b8 8d7db4           lea     edi,[ebp-0x4c]
016216bb b913000000       mov     ecx,0x13
016216c0 b8cccccccc       mov     eax,0xcccccccc
016216c5 f3ab             rep     stosd
016216c7 c745c000000000   mov     dword ptr [ebp-0x40],0x0
016216ce 6a35             push    0x35
016216d0 6a00             push    0x0
016216d2 8d45c4           lea     eax,[ebp-0x3c]
016216d5 50               push    eax
016216d6 e82f490000       call    Vcps!memset (0162600a)
016216db 83c40c           add     esp,0xc
016216de 8bf4             mov     esi,esp
016216e0 8b4d08           mov     ecx,[ebp+0x8]
016216e3 51               push    ecx
016216e4 ff15fc816201     call    dword ptr [Vcps!_imp__GetDC (016281fc)]


and still get the message:

Code: Select all
0:000> du 0012c04c
0012c04c  "Stack around the variable 'tm' w"
0012c08c  "as corrupted."
OT
 
Posts: 9
Joined: Tue Jul 18, 2006 11:52 am

Postby VDO » Tue Jul 18, 2006 12:25 pm

Did you try to eliminate lines one by one in your code to see which statement causes this message?
VDO
Site Admin
 
Posts: 552
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland

Postby OT » Tue Jul 18, 2006 12:37 pm

It's GetTextMetric...
OT
 
Posts: 9
Joined: Tue Jul 18, 2006 11:52 am

Postby VDO » Tue Jul 18, 2006 12:42 pm

What is struct alignment for your code? I had a similar problem before and after setting default struct alignment the problem disappeared.
VDO
Site Admin
 
Posts: 552
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland

Postby OT » Tue Jul 18, 2006 1:23 pm

It was 1 byte!!! I changed to default, rebuilt the project and don't get this message anymore. Thanks!
OT
 
Posts: 9
Joined: Tue Jul 18, 2006 11:52 am


Return to User mode dumps

Who is online

Users browsing this forum: No registered users and 1 guest

cron