Crash in D3D11 device wrapper when object is copy-constructed (2.8.87)

Brought to you by: anton19286, const_k, crazy-walrus

#1662 Crash in D3D11 device wrapper when object is copy-constructed (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 6

Updated: 1 day ago

Created: 1 day ago

Creator: Securin Disclose

Private: No

WinD3D11Device copy constructor (desktop/WinD3D11Device.cpp:101) has no
member-initialiser list. copy() (line 126) sets m_device and m_context
only - never m_log. Destructor (line 107) calls m_log->debug() without
null check -> crash on destruction of any copy-constructed instance.

operator= (line 120) has the same omission plus no Release() on existing
m_device/m_context before overwrite (COM reference leak).

Header comment: "This member must be always guaranteed non zero" -
confirming this is an oversight, not a design choice.

Attached PoC reads 8 uninitialised bytes and shows garbage m_log value;
dereferencing it as a vtable pointer exits STATUS_ACCESS_VIOLATION.

Fix: add m_log(src.m_log) to copy ctor initialiser list;
in operator= set m_log=src.m_log and Release() old COM objects.
Version: 2.8.87.

Crash in D3D11 device wrapper when object is copy-constructed (2.8.87)

Group

Searches

Help

#1662 Crash in D3D11 device wrapper when object is copy-constructed (2.8.87)

Discussion