HEAP_CORRUPTION help

[ToutEnMasm]

Hello,
I have a problem with a HEAP_CORRUPTION. If someone have one idea on how to solve it it would be of great help.
This made various defaut beeing located anywhere.

Following is a report from windbg.
                 ToutEnMasm
                             
                                         

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for minus.exe

FAULTING_IP:
ntdll!RtlpFindAndCommitPages+116
7c92888f 66833f00        cmp     word ptr [edi],0

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 7c92888f (ntdll!RtlpFindAndCommitPages+0x00000116)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 001f21c8
Attempt to read from address 001f21c8

FAULTING_THREAD:  00000de8

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PROCESS_NAME:  minus.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - L'instruction   "0x%08lx" emploie l'adresse m moire "0x%08lx". La m moire ne peut pas  tre "%s".

READ_ADDRESS:  001f21c8

BUGCHECK_STR:  ACCESS_VIOLATION

LAST_CONTROL_TRANSFER:  from 7c928238 to 7c92888f

STACK_TEXT: 
0012d3b4 7c928238 00140000 0019f000 0012d3e0 ntdll!RtlpFindAndCommitPages+0x116
0012d3ec 7c921c76 00140000 0000c0f8 00140000 ntdll!RtlpExtendHeap+0xa6
0012d61c 7c927c58 00140000 00000001 0000c0ea ntdll!RtlAllocateHeap+0x623
0012d800 7c8309a8 00140000 00000001 001b3fd8 ntdll!RtlReAllocateHeap+0xbd9
0012d854 74df89bb 001b3fd8 0000c0ea 00000002 kernel32!LocalReAlloc+0x1b6
0012d868 74db41b3 001b3fd8 0000c0ea 0018ce00 RICHED20!CW32System__PvReAlloc+0x19
0012d884 74de8d00 0000c0ea 00000000 0012deb8 RICHED20!CTxtBlk__ResizeBlock+0x57
0012d8a8 74de9594 00000000 0018ea70 00000000 RICHED20!CTxtPtr__InsertRange+0x96
0012d8c8 74ddb0fe 00000000 00000021 0018ea70 RICHED20!CTxtPtr__ReplaceRange+0x10f
0012d950 74dd5573 00000021 00000021 0018ea70 RICHED20!CRchTxtPtr__ReplaceRange+0x39c
0012d9b4 74ddcac4 00000021 0018ea70 00000000 RICHED20!CTxtRange__ReplaceRange+0x127
0012d9ec 74ddd13c 0018ea70 00000021 00000001 RICHED20!CRTFRead__AddText+0x1e9
0012da7c 74dde7fb 001643d0 00000001 ffffffff RICHED20!CRTFRead__HandleText+0x37f
0012dab4 74ddf13d 001519d4 0012deac 00000000 RICHED20!CRTFRead__HandleToken+0x1375
0012daec 74dcb5b0 0012deac 001519a0 00000449 RICHED20!CRTFRead__ReadRtf+0x164
0012dd90 74deca2f 0012deac 00000002 0012eff0 RICHED20!CLightDTEngine__LoadFromEs+0x1e9
0012df18 74dc1627 00000449 00000002 0012eff0 RICHED20!CTxtEdit__TxSendMessage+0x11c9
0012e808 74dfb480 00030580 00000449 00000002 RICHED20!RichEditWndProc+0xa62
0012ec70 74dc0bac 00030580 00000449 00000002 RICHED20!CW32System__ANSIWndProc+0x2a4
0012ec8c 77d18734 00030580 00000449 00000002 RICHED20!RichEditANSIWndProc+0x25
0012ecb8 77d18816 74dc0b87 00030580 00000449 user32!InternalCallWinProc+0x28
0012ed20 77d1c63f 00000000 74dc0b87 00030580 user32!UserCallWinProcCheckWow+0x150
0012ed50 77d1e905 74dc0b87 00030580 00000449 user32!CallWindowProcAorW+0x98
0012ed70 00409d80 74dc0b87 00030580 00000449 user32!CallWindowProcA+0x1b
0012edbc 77d18734 00030580 00000449 00000002 minus!EventRichEdit+0x417 [minus.asm @ 54]
0012ede8 77d18816 00401460 00030580 00000449 user32!InternalCallWinProc+0x28
0012ee50 77d1b89b 00000000 00401460 00030580 user32!UserCallWinProcCheckWow+0x150
0012ee8c 77d2f3e3 005fa930 005f1440 00000002 user32!SendMessageWorker+0x4a5
0012eeac 0040789f 00030580 00000449 00000002 user32!SendMessageA+0x7f
0012effc 0040e7f3 00020548 00000001 00000000 minus!ERROuvreChargeTab+0x149 [minus.asm @ 54]
0012f898 0040e225 00020548 0042f51c 00000000 minus!Infochemin+0x3e7 [Fichiers.inc @ 2179]
0012f8b4 0040666b 00020548 0012fe94 00401226 minus!zzzzRecemmentOuvert+0x3b [Fichiers.inc @ 1897]
0012fe2c 77d18734 00020548 00000111 00000435 minus!ToolText+0x1772 [commande.inc @ 430]
0012fe58 77d18816 00401226 00020548 00000111 user32!InternalCallWinProc+0x28
0012fec0 77d189cd 00000000 00401226 00020548 user32!UserCallWinProcCheckWow+0x150
0012ff20 77d196c7 0012ff3c 00000001 0012ff58 user32!DispatchMessageWorker+0x306
0012ff30 0040455d 0012ff3c 00020548 00000111 user32!DispatchMessageA+0xf
0012ff58 00401fd1 00000000 7ffd8000 00011970 minus!BoucleAttente+0x30 [Winmain.inc @ 1944]
0012ffbc 00401bd2 7c816fd7 00011970 7c9218f1 minus!fille2+0x18f [Winmain.inc @ 251]
0012fff0 00000000 00401087 00000000 78746341 minus!start+0x166 [Winmain.inc @ 55]


ADDITIONAL_DEBUG_TEXT:  Enable Pageheap/AutoVerifer

FOLLOWUP_IP:
RICHED20!CW32System__PvReAlloc+19
74df89bb eb0b            jmp     RICHED20!CW32System__PvReAlloc+0x26 (74df89c8)

SYMBOL_STACK_INDEX:  5

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RICHED20

IMAGE_NAME:  RICHED20.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  41253303

SYMBOL_NAME:  RICHED20!CW32System__PvReAlloc+19

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  ACCESS_VIOLATION_RICHED20!CW32System__PvReAlloc+19

BUCKET_ID:  ACCESS_VIOLATION_RICHED20!CW32System__PvReAlloc+19

Followup: MachineOwner
---------

[stanhebben]

You're sure you never wrote outside of allocated space?

If you still don't find the reason, post the code if it's not too large. If the program is large, it can be a pain to track down these kind of errors.

[ToutEnMasm]

Hello,
The code is too large to be posted .I was asking if there was tricks or special code to avoid this.
It seems i have made to much modifies at the same time. go back on this  is the only soluce i have found.
How to find this kind of problems is a real work.
                                     ToutEnMasm

                                                   

[stanhebben]

I don't know of a way to avoid this.

I'd suggest you take a look at functions that manipulate arrays first, and check if they don't go past the end (which corrupts the heap).

[ToutEnMasm]

Ok,
I have write a simple test to do this.

Code Select Expand


Corrupted proc uses edi

LOCAL HEAP_CORRUPTION:SDWORD
LOCAL array[5]:BYTE
mov HEAP_CORRUPTION,-1
lea edi,array
mov eax,1
;a push decrease the adress value of esp
;normal writing in memory increase the adress value
;HEAP_CORRUPTION must be place before the array to test
stosd
stosd
.if HEAP_CORRUPTION != -1
invoke MessageBox,NULL,SADR("HEAP_CORRUPTED"),SADR("Corrupted"),MB_OK
.endif
ret
Corrupted endp


[PBrennick]

ToutenMasm,
Of course, if you write 8 bytes to a 5 byte array, you are going to have serious problems. S-o-o-o, what is the point of your test. I did not even have to run it to see that it would fail.

Paul

[zooba]

Make sure that EM_STREAMIN is the right message you want to send and if so, make sure that you properly allocate and pass an EDITSTREAM structure and implement your EditStreamCallback function properly.

Cheers,

Zooba :U

[ToutEnMasm]

Hello,

I did not even have to run it to see that it would fail.

The test don't failed (surely the code is wrong),run it and and you will see it run except when you write 0FFh in memory.
The goal of the test is to detect this sort of problems.The sample given is only here to see how things works.

For the messages with the richedit,all was OK until i have a HEAP_CORRUPT somewhere in the code.
The more ennoying is that i haven't modifie this part of the code.
                                             ToutEnMasm

                                 

[zooba]

I did not even have to run it to see that it would fail.

The test don't failed (surely the code is wrong),run it and and you will see it run except when you write 0FFh in memory.
The goal of the test is to detect this sort of problems.The sample given is only here to see how things works.

I think Paul was assuming that 'fail' is when the message box appears, which is a fair assumption since corruption is almost always a bad thing. Windows includes some detection for heap errors which can be detected when running under a debugger or when intercepting debug text (I believe Sysinternals has a tool for this).

For the messages with the richedit,all was OK until i have a HEAP_CORRUPT somewhere in the code.
The more ennoying is that i haven't modifie this part of the code.

The pointer to your EDITSTREAM structure is incorrect in the stack dump you gave - 00000002h is not a valid address for any sort of memory Windows will let you use. The 'HEAP_CORRUPT' is actually an access violation (exception C0000005h), probably due to a bad parameter somewhere. Are you able to post the code relevant to sending the message (ERROuvreChargeTab procedure I think).

Cheers,

Zooba :U

[ToutEnMasm]

Ok,
I have put my Heap_corrupt  detector in practice and i can show you where the defaut occure

This code look at text as :
FDIVR-m(32,64)fp Divide m(32 ou 64)fp by ST(0) and store result in ST(0)
Another text is a line of code
1) search if the line of code have the instruction
2) search after the instruction if there is arguments and how many

Code Select Expand


;################################################################
Cherche_InstructionIx86 PROC uses esi edi ebx  pphrase:DWORD
;Local   :DWORD
LOCAL compteur:DWORD,NumLigne,longligne,LongInstruction,cas,gardep
    LOCAL CORRUPT1:SDWORD
LOCAL refinstruction[20]:BYTE ;11 pour la plus grande
    LOCAL CORRUPT2:SDWORD
Local    instruction[Max_Pos_curs+1]:BYTE ;position curseur 30 max
Local  retour:DWORD
ZEROLOCALES retour

INIT_CORRUPTION CORRUPT1,CORRUPT2

;copier le premier mot
mov esi,pphrase
lea edi,instruction
mov ecx,0 ;compter la longueur du mot
@@:
;passer espaces tab de début
mov al,[esi]
.if al == " " || al == 9
inc esi
jmp @B
.endif
@@:
.if al == " " || al == 9 || al == 0 || al == 13 || al == 10
jmp @F
.else
stosb
inc ecx
inc esi
mov al,[esi]
jmp @B
.endif
@@:
cld
mov al,0
stosb
mov LongInstruction,ecx
mov gardep,esi
mov Instructions_X86.Tache,3 ;init fait par dll ,(invoke Ressource)
PuPo compteur,Instructions_X86.NBlignesODOA
.while (compteur)
mov edi,gardep
inc NumLigne
PuPo Instructions_X86.NumeroLigne,NumLigne
invoke ScrutationFichierTexte,addr Instructions_X86
mov longligne,ecx
;gagner du temps dans la scrutatation
call recopieRefInstruction
.if ecx != LongInstruction
jmp nouvelleligne
.endif
invoke chercherChaine,1,addr refinstruction,addr instruction,1 ;mode texte
.if eax == 1
;voir si definition complexe FPU
.if byte ptr [instruction] == "f" || byte ptr [instruction] == "F"
;verify what is write after the instructions
;FDIVR-m(32,64)fp Divide m(32 ou 64)fp by ST(0) and store result in ST(0)
;esi pointer on define instruction
;edi follow the text
;passer espaces tab dans code
@@:
.if byte ptr [edi] == " " || byte ptr [edi] == 9
inc edi
jmp @B
.endif
mov cas,0
mov al,[edi]
;4 cas,fin d'instruction,ST,mémoire
.if al == 0 || al == 13 || al == ";"
mov cas,0
.elseif al == "s" || al == "S"
inc edi
mov al,[edi]
.if  al == "t" || al == "T"
;st non coupé,espaces et tab autorisés
@@:
inc edi
mov al,[edi]
.if al == " " || al == 9
jmp @B
.endif
.if al == "("
@@:
inc edi
mov al,[edi]
.if al == " " || al == 9
jmp @B
.endif
.if al == "0"
mov cas,1 ;st(0)
.else
mov cas,2 ;st(N)
.endif
.endif

.endif
.if cas == 0
mov cas,3 ;case mémoire
.endif
.else
mov cas,3 ;case mémoire
.endif
;suivant maintenant ce que pointe esi
;espaces et tab non autorisés dans références instructions
mov al,[esi]
.if al == " " || al == 9
;le seul cas valide est cas 0,simple instruction
.if cas != 0
jmp nouvelleligne
.endif
.elseif al == "-"
mov al,[esi+1]
.if al == "m"
.if cas != 3
jmp nouvelleligne
.endif
jmp avanceesi
.endif
mov al,[esi+4]
.if al == "0"
.if cas != 1
jmp nouvelleligne
.endif
.elseif
.if cas != 2
jmp nouvelleligne
.endif
.endif
avanceesi:
@@:
mov al,[esi]
.if al != " " && al != 9 && al != 0 && al != 13
inc esi
jmp @B
.endif

.endif
.endif
mov retour,esi
.break
.endif
nouvelleligne:
dec compteur
.endw


FindeCherche_InstructionIx86:
VERIFY_CORRUPTION "InstructionIx86",CORRUPT1,CORRUPT2
         mov eax,retour
         ret
recopieRefInstruction:
push edi
mov ecx,0
cld
lea edi,refinstruction
@@:
mov al,[esi]
.if al == " " || al == 9 || al == "-" || al == 0
jmp @F
.else
inc ecx
inc esi
stosb
jmp @B
.endif
@@:
mov al,0
stosb
pop edi
retn
Cherche_InstructionIx86 endp


The two victorious MACRO (Multiple test points are possible)

   INIT_CORRUPTION MACRO parmlist:VARARG
           FOR parm, <parmlist>
               mov parm,-1
           ENDM   
   ENDM
   VERIFY_CORRUPTION MACRO titre:REQ,parmlist:VARARG
      mov eax,-1
           FOR parm, <parmlist>
               and eax,parm
           ENDM         
      .if eax != -1
         invoke MessageBox,NULL,SADR(titre),addr szCorruption_Heap,MB_OK      
      .endif
      ;szCorruption_Heap db "Corruption Heap",0
   ENDM

[PBrennick]

ToutenMasm,
I think you need to not assume that you have a corrupted heap as zooba has already told you. I think you are having too much fun here to listen to anybody. So do what you will, your code still needs to be fixed and time could be better spent.

Paul

[ToutEnMasm]

Thanks at all