Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UNINITs in USP10.dll that likely all need per-bit granularity #493

Open
derekbruening opened this issue Nov 28, 2014 · 5 comments
Open

UNINITs in USP10.dll that likely all need per-bit granularity #493

derekbruening opened this issue Nov 28, 2014 · 5 comments

Comments

@derekbruening
Copy link
Contributor

From bruen...@google.com on July 14, 2011 22:08:40

xref issue #492 I see 5 other callstacks and while I have not analyzed them to prove it I suspect that they all (with perhaps the exception of USP10.dll!CUspShapingDrawingSurface::GenericGlyphOut? needs analysis), like issue #492 , are false positives coming from unusual bit manipulations.

*** TODO UNINIT in USP10.dll!CStackAllocator::Free

in calc:
Error #2: UNINITIALIZED READ: reading register cl
@0:03:21.153 in thread 2940
0x770b7448 <USP10.dll+0x17448> USP10.dll!CStackAllocator::Free
0x770d0891 <USP10.dll+0x30891> USP10.dll!CUspShapingCacheWriter::SubmitCacheSlot
0x770d5244 <USP10.dll+0x35244> USP10.dll!ShapingCreateFontCacheData
0x770ada3b <USP10.dll+0xda3b> USP10.dll!ShlLoadFont
0x770adf74 <USP10.dll+0xdf74> USP10.dll!LoadFont
0x770a9b07 <USP10.dll+0x9b07> USP10.dll!FindOrCreateFaceCache
0x75256bc8 f6 c1 01 test %cl $0x01

hit on gui-inject also though w/ a different callstack:
Error #1: UNINITIALIZED READ: reading register cl
@0:00:01.867 in thread 1984
0x75256bc8 <USP10.dll+0x16bc8> USP10.dll!CStackAllocator::Free
0x75285e0d <USP10.dll+0x45e0d> USP10.dll!GenericEngineGetBreakingProperties
0x752752b9 <USP10.dll+0x352b9> USP10.dll!ShapingGetBreakingProperties
0x75272630 <USP10.dll+0x32630> USP10.dll!ShlBreak
0x75256bc8 f6 c1 01 test %cl $0x01
0:000> dt shadow_registers_t 7efdd000+ec4
+0x000 eax : 0 ''
+0x001 ecx : 0xff ''
+0x002 edx : 0 ''
+0x003 ebx : 0 ''
+0x004 esp : 0 ''
+0x005 ebp : 0 ''
+0x006 esi : 0 ''
+0x007 edi : 0 ''
+0x008 eflags : 0 ''
USP10!CStackAllocator::Free+0x13:
75256bc3 8d41f4 lea eax,[ecx-0xc]
75256bc6 8b08 mov ecx,[eax]
75256bc8 f6c101 test cl,0x1

eax = 0x22a4804
0:000> dyb @@(((char *)shadow_table[0x022a]) + (0x022a4804/4)) L8
76543210 76543210 76543210 76543210
-------- -------- -------- --------
2721d4a9 11111111 00000000 00000000 00000011 ff 00 00 03
2721d4ad 00000011 00000011 00000011 00000011 03 03 03 03

no syms:
0x75256bc8 <USP10.dll+0x16bc8> USP10.dll!UspFreeMem
0x75285e0d <USP10.dll+0x45e0d> USP10.dll!ScriptPositionSingleGlyph
0x752752b9 <USP10.dll+0x352b9> USP10.dll!ScriptPositionSingleGlyph

*** TODO UNINIT in USP10.dll!GenericEngineGetBreakingProperties

Error #1: UNINITIALIZED READ: reading register bl
@0:00:01.867 in thread 2200
0x75285d60 <USP10.dll+0x45d60> USP10.dll!GenericEngineGetBreakingProperties
0x752752b9 <USP10.dll+0x352b9> USP10.dll!ShapingGetBreakingProperties
0x75272630 <USP10.dll+0x32630> USP10.dll!ShlBreak
0x75246937 <USP10.dll+0x6937> USP10.dll!ScriptBreak
0x752542c4 <USP10.dll+0x142c4> USP10.dll!ScriptStringAnalyzeBreaks
0x76265465 <LPK.dll+0x5465> LPK.dll!LpkStringAnalyse
0x76264dba <LPK.dll+0x4dba> LPK.dll!LpkGetNextWord
0x76261425 <LPK.dll+0x1425> LPK.dll!LpkDrawTextEx
0x76d142c8 <USER32.dll+0x242c8> USER32.dll!GetNextWordbreak
0x76d12423 <USER32.dll+0x22423> USER32.dll!DT_GetLineBreak
0x76d1237a <USER32.dll+0x2237a> USER32.dll!DrawTextExWorker
0x76d114bc <USER32.dll+0x214bc> USER32.dll!DrawTextExW

75285ccd 57 push edi
75285cce 8b7df4 mov edi,[ebp-0xc]
75285cd1 57 push edi
75285cd2 56 push esi
75285cd3 53 push ebx
75285cd4 e807210000 call USP10!GetCharClassification (75287de0)

75285cd9 8bf0 mov esi,eax
75285cdb 85f6 test esi,esi
75285cdd 741a jz USP10!GenericEngineGetBreakingProperties+0x89 (75285cf9)

75285cf9 33f6 xor esi,esi
75285cfb 397510 cmp [ebp+0x10],esi
75285cfe 0f8efa000000 jle USP10!GenericEngineGetBreakingProperties+0x18e (75285dfe)

75285d04 8b4df4 mov ecx,[ebp-0xc]
75285d07 8b04b1 mov eax,[ecx+esi*4]
75285d0a 8bd8 mov ebx,eax
75285d0c 33ff xor edi,edi
75285d0e c1eb04 shr ebx,0x4
75285d11 85f6 test esi,esi
75285d13 7e49 jle USP10!GenericEngineGetBreakingProperties+0xee (75285d5e)

75285d5e 33c0 xor eax,eax
75285d60 f6c310 test bl,0x10
75285d63 7420 jz USP10!GenericEngineGetBreakingProperties+0x115 (75285d85)

ecx = 0x2484810
0:000> dyb @@(((char *)shadow_table[0x0248]) + (0x02484810/4)) L8
76543210 76543210 76543210 76543210
-------- -------- -------- --------
1d1ed4ac 00000011 00000011 00000011 00000011 03 03 03 03
1d1ed4b0 00000011 11111111 11111111 11111111 03 ff ff ff

the shr by 4 isn't enough to push the whole bottom uninit byte: but I
wonder if this is another one that needs per-bit.
will take some analysis: not doing it now.

no symbols:
Error #1: UNINITIALIZED READ: reading register bl
0x75285d60 <USP10.dll+0x45d60> USP10.dll!ScriptPositionSingleGlyph
0x752752b9 <USP10.dll+0x352b9> USP10.dll!ScriptPositionSingleGlyph
0x75272630 <USP10.dll+0x32630> USP10.dll!ScriptPositionSingleGlyph

*** TODO more UNINITs in USP10.dll

Error #2: UNINITIALIZED READ: reading register al
@0:00:04.073 in thread 4180
0x752860ea <USP10.dll+0x460ea> USP10.dll!GenericEngineGetGlyphs
0x7527512a <USP10.dll+0x3512a> USP10.dll!ShapingGetGlyphs
0x7527221f <USP10.dll+0x3221f> USP10.dll!ShlShape
0x75245c6f <USP10.dll+0x5c6f> USP10.dll!ScriptShape
0x752518af <USP10.dll+0x118af> USP10.dll!RenderItemNoFallback
0x75252ab4 <USP10.dll+0x12ab4> USP10.dll!RenderItemWithFallback
0x75252d42 <USP10.dll+0x12d42> USP10.dll!RenderItem
0x752540f9 <USP10.dll+0x140f9> USP10.dll!ScriptStringAnalyzeGlyphs
0x75247a14 <USP10.dll+0x7a14> USP10.dll!ScriptStringAnalyse
0x76265465 <LPK.dll+0x5465> LPK.dll!LpkStringAnalyse
0x76265172 <LPK.dll+0x5172> LPK.dll!LpkCharsetDraw
0x76261410 <LPK.dll+0x1410> LPK.dll!LpkDrawTextEx
0x752860ea a8 01 test %al $0x01

Error #4: UNINITIALIZED READ: reading register al
@0:01:59.496 in thread 4180
0x75275675 <USP10.dll+0x35675> USP10.dll!ShapingGetGlyphPositions
0x7527286a <USP10.dll+0x3286a> USP10.dll!ShlPlace
0x75245e45 <USP10.dll+0x5e45> USP10.dll!ScriptPlace
0x7525181d <USP10.dll+0x1181d> USP10.dll!RenderItemNoFallback
0x75252ab4 <USP10.dll+0x12ab4> USP10.dll!RenderItemWithFallback
0x75252d42 <USP10.dll+0x12d42> USP10.dll!RenderItem
0x752540f9 <USP10.dll+0x140f9> USP10.dll!ScriptStringAnalyzeGlyphs
0x75247a14 <USP10.dll+0x7a14> USP10.dll!ScriptStringAnalyse
0x76265465 <LPK.dll+0x5465> LPK.dll!LpkStringAnalyse
0x76265172 <LPK.dll+0x5172> LPK.dll!LpkCharsetDraw
0x76261410 <LPK.dll+0x1410> LPK.dll!LpkDrawTextEx
0x76d11898 <USER32.dll+0x21898> USER32.dll!DT_DrawStr
0x75275675 a8 01 test %al $0x01

Error #3: UNINITIALIZED READ: reading 0x0018ea4c-0x0018ea4d 1 byte(s) within 0x0018ea4c-0x0018ea50
@0:00:45.099 in thread 1232
0x75270a79 <USP10.dll+0x30a79> USP10.dll!CUspShapingDrawingSurface::GenericGlyphOut
0x75270124 <USP10.dll+0x30124> USP10.dll!CUspShapingDrawingSurface::DrawGlyphs
0x7528573b <USP10.dll+0x4573b> USP10.dll!GenericEngineDrawGlyphs
0x752759fa <USP10.dll+0x359fa> USP10.dll!ShapingDrawGlyphs
0x75272efd <USP10.dll+0x32efd> USP10.dll!ShlTextOut
0x75246122 <USP10.dll+0x6122> USP10.dll!ScriptTextOut
0x75255af9 <USP10.dll+0x15af9> USP10.dll!InternalStringOut
0x752483be <USP10.dll+0x83be> USP10.dll!ScriptStringOut
0x762651a9 <LPK.dll+0x51a9> LPK.dll!LpkCharsetDraw
0x76261410 <LPK.dll+0x1410> LPK.dll!LpkDrawTextEx
0x76d11898 <USER32.dll+0x21898> USER32.dll!DT_DrawStr
0x76d1182a <USER32.dll+0x2182a> USER32.dll!DT_DrawJustifiedLine
0x75270a79 39 4d 1c cmp 0x1c(%ebp) %ecx

Original issue: http://code.google.com/p/drmemory/issues/detail?id=493

@derekbruening
Copy link
Contributor Author

From timurrrr@google.com on July 22, 2011 02:15:23

On MessageBox test ( issue #60 ) on XP 32-bit we've also observed:

[with symbols]
Error #1: UNINITIALIZED READ: reading 0x00347358-0x0034735c 4 byte(s)
@0:00:01.376 in thread 3536
0x74da6576 <USP10.dll+0x16576> USP10.dll!LoadGlyphMetrics
0x74da66d7 <USP10.dll+0x166d7> USP10.dll!GetGlyphAdvanceWidths
0x74da59be <USP10.dll+0x159be> USP10.dll!FindOrCreateSizeCacheWithoutRealizationID
0x74da5a8e <USP10.dll+0x15a8e> USP10.dll!FindOrCreateSizeCacheUsingRealizationID
0x74da5ea3 <USP10.dll+0x15ea3> USP10.dll!UpdateCache
0x74da5f8b <USP10.dll+0x15f8b> USP10.dll!ScriptCheckCache
0x74da4186 <USP10.dll+0x14186> USP10.dll!ScriptStringAnalyse
0x629c48f8 <LPK.dll+0x48f8> LPK.dll!LpkStringAnalyse
0x629c4651 <LPK.dll+0x4651> LPK.dll!LpkCharsetDraw
0x629c1269 <LPK.dll+0x1269> LPK.dll!LpkDrawTextEx
0x7e44e667 <USER32.dll+0x3e667> USER32.dll!DT_DrawStr
0x7e42bae3 <USER32.dll+0x1bae3> USER32.dll!DT_GetLineBreak

[w/o symbols]
Error #1: UNINITIALIZED READ: reading 0x00347358-0x0034735c 4 byte(s)
@0:00:01.110 in thread 5816
0x74da6576 <USP10.dll+0x16576> USP10.dll!ScriptApplyDigitSubstitution
0x74da66d7 <USP10.dll+0x166d7> USP10.dll!ScriptApplyDigitSubstitution
0x74da59be <USP10.dll+0x159be> USP10.dll!ScriptApplyDigitSubstitution
0x74da5a8e <USP10.dll+0x15a8e> USP10.dll!ScriptApplyDigitSubstitution
0x74da5ea3 <USP10.dll+0x15ea3> USP10.dll!ScriptApplyDigitSubstitution
0x74da5f8b <USP10.dll+0x15f8b> USP10.dll!ScriptApplyDigitSubstitution
0x74da4186 <USP10.dll+0x14186> USP10.dll!ScriptStringAnalyse
0x629c48f8 <LPK.dll+0x48f8> LPK.dll!LpkTabbedTextOut
0x629c4651 <LPK.dll+0x4651> LPK.dll!LpkTabbedTextOut
0x629c1269 <LPK.dll+0x1269> LPK.dll!LpkDrawTextEx
0x7e44e667 <USER32.dll+0x3e667> USER32.dll!DeregisterShellHookWindow
0x7e42bae3 <USER32.dll+0x1bae3> USER32.dll!DrawTextExW

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on September 20, 2011 18:30:52

w/ no syms, somehow no symbol at all for top frame.
will likely suppress with

USP10.dll!*
USP10.dll!Script*

and an instruction= line

Dr. Memory version 1.4.3 build 3 built on Sep 20 2011 21:16:26
Application cmdline: ""C:\Windows\System32\calc.exe""
Recorded 27 suppression(s) from default C:\Program Files (x86)\Dr. Memory/bin/suppress-default.txt

Error #1: UNINITIALIZED READ: reading 0x001afb94-0x001afb95 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptIsComplex

2 LPK.dll!LpkGetTextExtentExPoint

3 GDI32.dll!CreateICW

4 GDI32.dll!GetTextExtentPointW

5 GDI32.dll!GdiGetCharDimensions

6 USER32.dll!CreateDialogIndirectParamAorW

7 USER32.dll!CreateDialogIndirectParamAorW

8 USER32.dll!CreateDialogParamW

9 ?

#10 ?
#11 ?
Note: @0:00:02.359 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #2: UNINITIALIZED READ: reading 0x001ae8ac-0x001ae8ad 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkDrawTextEx

7 LPK.dll!LpkDrawTextEx

8 USER32.dll!CallWindowProcA

9 USER32.dll!CallWindowProcA

#10 USER32.dll!DrawTextExW
#11 USER32.dll!DrawTextExW
Note: @0:00:02.765 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #3: UNINITIALIZED READ: reading 0x001af5c4-0x001af5c5 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkDrawTextEx

7 LPK.dll!LpkDrawTextEx

8 USER32.dll!CallWindowProcA

9 USER32.dll!GetWindowInfo

#10 USER32.dll!GetWindowInfo
#11 USER32.dll!DrawTextExW
Note: @0:00:03.328 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #4: UNINITIALIZED READ: reading 0x001af5dc-0x001af5dd 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkDrawTextEx

7 LPK.dll!LpkDrawTextEx

8 USER32.dll!CallWindowProcA

9 USER32.dll!CallWindowProcA

#10 USER32.dll!GetWindowInfo
#11 USER32.dll!DrawTextExW
Note: @0:00:03.328 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #5: UNINITIALIZED READ: reading 0x001af034-0x001af035 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkDrawTextEx

7 LPK.dll!LpkDrawTextEx

8 USER32.dll!CalcMenuBar

9 USER32.dll!CalcMenuBar

#10 USER32.dll!DrawTextExW
#11 USER32.dll!DrawTextExW
Note: @0:00:03.593 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #9: UNINITIALIZED READ: reading 0x001af594-0x001af595 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!ImageList_Duplicate

#10 COMCTL32.dll!ImageList_Duplicate
#11 COMCTL32.dll!FreeMRUList
Note: @0:00:04.625 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #10: UNINITIALIZED READ: reading 0x001af5f4-0x001af5f5 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!FreeMRUList

#10 COMCTL32.dll!ImageList_Duplicate
#11 COMCTL32.dll!FreeMRUList
Note: @0:00:04.656 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #11: UNINITIALIZED READ: reading 0x001af614-0x001af615 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!FreeMRUList

#10 COMCTL32.dll!FreeMRUList
#11 COMCTL32.dll!FreeMRUList
Note: @0:00:04.671 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #12: UNINITIALIZED READ: reading 0x001af674-0x001af675 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!FreeMRUList

#10 COMCTL32.dll!Ordinal235
#11 COMCTL32.dll!Ordinal235
Note: @0:00:04.687 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #13: UNINITIALIZED READ: reading 0x001af7d4-0x001af7d5 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!ImageList_Duplicate

#10 COMCTL32.dll!ImageList_Duplicate
#11 COMCTL32.dll!ImageList_Draw
Note: @0:00:04.875 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #14: UNINITIALIZED READ: reading 0x001af834-0x001af835 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkInitialize

7 LPK.dll!LpkGetTextExtentExPoint

8 COMCTL32.dll!FreeMRUList

9 COMCTL32.dll!FreeMRUList

#10 COMCTL32.dll!ImageList_Duplicate
#11 COMCTL32.dll!ImageList_Draw
Note: @0:00:04.875 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

Error #15: UNINITIALIZED READ: reading 0x001af18c-0x001af18d 1 byte(s)

0 USP10.dll!?

1 USP10.dll!ScriptItemize

2 USP10.dll!ScriptItemize

3 USP10.dll!ScriptItemize

4 USP10.dll!ScriptStringAnalyse

5 LPK.dll!LpkExtTextOut

6 LPK.dll!LpkDrawTextEx

7 LPK.dll!LpkDrawTextEx

8 USER32.dll!CallWindowProcA

9 USER32.dll!DestroyCursor

#10 USER32.dll!DrawTextExW
#11 USER32.dll!DrawTextExW
Note: @0:00:04.984 in thread 2384
Note: instruction: test 0x00000094(%esi) $0x01

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on September 22, 2011 09:04:45

meant to label prev comment as "calc on vista"

also seeing more of the cmp unfortunately:

somehow my laptop is now showing instances w/o OP_test when running calc.
maybe the last MS update or something:

w/ syms:
Dr.M Error #3: UNINITIALIZED READ: reading 1 byte(s) within 0x001adba4-0x001adba8
Dr.M # 0 USP10.dll!CUspShapingDrawingSurface::GenericGlyphOut
Dr.M # 1 USP10.dll!CUspShapingDrawingSurface::DrawGlyphs
Dr.M # 2 USP10.dll!GenericEngineDrawGlyphs
Dr.M # 3 USP10.dll!ShapingDrawGlyphs
Dr.M # 4 USP10.dll!ShlTextOut
Dr.M # 5 USP10.dll!ScriptTextOut
Dr.M # 6 USP10.dll!InternalStringOut
Dr.M # 7 USP10.dll!ScriptStringOut
Dr.M # 8 LPK.dll!LpkCharsetDraw
Dr.M # 9 LPK.dll!LpkDrawTextEx
Dr.M #10 USER32.dll!DT_DrawStr
Dr.M #11 USER32.dll!DT_DrawJustifiedLine

plus 2 similar callstacks

w/o syms:
Dr.M Error #3: UNINITIALIZED READ: reading 0x0017dcb4-0x0017dcb5 1 byte(s) within 0x0017dcb4-0x0017dcb8
Dr.M # 0 USP10.dll!ScriptPositionSingleGlyph
Dr.M # 1 USP10.dll!ScriptPositionSingleGlyph
Dr.M # 2 USP10.dll!ScriptPositionSingleGlyph
Dr.M # 3 USP10.dll!ScriptPositionSingleGlyph
Dr.M # 4 USP10.dll!ScriptPositionSingleGlyph
Dr.M # 5 USP10.dll!ScriptTextOut
Dr.M # 6 USP10.dll!ScriptApplyDigitSubstitution
Dr.M # 7 USP10.dll!ScriptStringOut
Dr.M # 8 LPK.dll!LpkTabbedTextOut
Dr.M # 9 LPK.dll!LpkDrawTextEx
Dr.M #10 USER32.dll!DrawTextExW
Dr.M #11 USER32.dll!DrawTextExW
Dr.M Note: @0:00:06.640 in thread 2264
Dr.M Note: instruction: cmp 0x1c(%ebp) %ecx
Dr.M Note: instruction: cmp 0x1c(%ebp) %ecx
Dr.M Note: instruction: cmp 0x1c(%ebp) %ecx

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on September 22, 2011 10:44:23

here's confirmation that this OP_cmp is a false positive requiring per-bit
granularity. essentially the bottom bits are set by "&= 0xfffffff0" which
still leaves some bits in the bottom byte undefined. later that value is
"&= 0x1", so we have a fully-defined value, but w/ byte granularity we
can't tell:

0:003> U 751613e9-c9 751613e9+3
USP10!CUspShapingDrawingSurface::GenericGlyphOut:
...
751613e1 33c9 xor ecx,ecx
751613e3 898d58ffffff mov [ebp-0xa8],ecx
751613e9 394d1c cmp [ebp+0x1c],ecx

USP10!CUspShapingDrawingSurface::DrawGlyphs+0x155:
...
75160a72 8b5510 mov edx,[ebp+0x10]
75160a75 52 push edx
75160a76 8b5604 mov edx,[esi+0x4]
75160a79 51 push ecx
75160a7a 8b4c2430 mov ecx,[esp+0x30]
75160a7e 52 push edx
75160a7f 8b54242c mov edx,[esp+0x2c]
75160a83 51 push ecx
75160a84 52 push edx
75160a85 8b5304 mov edx,[ebx+0x4]
75160a88 8d4c2438 lea ecx,[esp+0x38]
75160a8c 51 push ecx
75160a8d 8bc8 mov ecx,eax
75160a8f e88c080000 call USP10!CUspShapingDrawingSurface::GenericGlyphOut (75161320)

USP10!GenericEngineDrawGlyphs:
75175385 8b5510 mov edx,[ebp+0x10]
...
751753c8 8b4210 mov eax,[edx+0x10]
751753cb 8b550c mov edx,[ebp+0xc]
751753ce 83e001 and eax,0x1
751753d1 50 push eax
751753d2 8b4508 mov eax,[ebp+0x8]
751753d5 52 push edx
751753d6 8b16 mov edx,[esi]
751753d8 50 push eax
751753d9 ffd2 call edx

USP10!ShapingDrawGlyphs:
7516617d 8b7510 mov esi,[ebp+0x10]
...
7516622e 56 push esi
7516622f 51 push ecx
75166230 8b0cd5a0131375 mov ecx,[USP10!ScriptProperties+0x20 (751313a0)+edx*8]
75166237 50 push eax
75166238 ffd1 call ecx

USP10!ShlTextOut:
75163652 0fb71cf5a81b1b75 movzx ebx,word ptr [USP10!ShlScriptSupport (751b1ba8)+esi*8] ds:002b:751b1bd0=0001
7516365a 895c2414 mov [esp+0x14],ebx
<no memset of esp+4c+10>
14 pushes => esp+0x4c-0x38 = 0x14 prior
+0x10 = esp+0x24
75163773 8d44244c lea eax,[esp+0x4c]
75163777 50 push eax
75163778 8d8c24bc000000 lea ecx,[esp+0xbc]
7516377f 51 push ecx
75163780 8d9424b0000000 lea edx,[esp+0xb0]
75163787 52 push edx
75163788 e893290000 call USP10!ShapingDrawGlyphs (75166120)

75163616 33c0 xor eax,eax
...
75163620 0f94c0 sete al
...
75163638 8bf8 mov edi,eax
...
75163687 8b4c2424 mov ecx,[esp+0x24] => happened to be 0x0
7516368b 2500040000 and eax,0x400
75163690 0d00200000 or eax,0x2000
75163695 c1ef0a shr edi,0xa
75163698 c1e807 shr eax,0x7
7516369b 0bf8 or edi,eax
7516369d 83e1f0 and ecx,0xfffffff0 => bottom 4 bits now defined
751636a0 0bf9 or edi,ecx
751636a2 817c2414ffff0000 cmp dword ptr [esp+0x14],0xffff
751636aa c7842480000000c05c1375 mov dword ptr [esp+0x80],0x75135cc0
751636b5 89942488000000 mov [esp+0x88],edx
751636bc 895c2420 mov [esp+0x20],ebx
751636c0 897c2424 mov [esp+0x24],edi

0:000> dd esp+4c
0014de84 00000001 746c6664 746c6664 00000000
0014de94 00000040 75136104 460118b9 00000019

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on December 07, 2011 11:20:32

Labels: FalsePos-BitLevel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant