Fix bug in VARDESC, TYPEDESC, and FUNCDESC causing illegal memory access. The types contained an array that might be zero-sized, but JNA tried to read at least one item.

Lauri Wiljami Ahonen · Lauri Wiljami Ahonen · commit 4419bade0bd9 · 2025-12-09T15:56:15.000+02:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -12,7 +12,7 @@ Features
 
 Bug Fixes
 ---------
-
+* [#1644](https://github.com/java-native-access/jna/issues/1644): Fix bug in VARDESC and TYPEDESC causing an illegal memory access - [@lwahonen](https://github.com/lwahonen)
 
 Release 5.18.1
 ==============
diff --git a/contrib/platform/src/com/sun/jna/platform/win32/OaIdl.java b/contrib/platform/src/com/sun/jna/platform/win32/OaIdl.java
@@ -553,6 +553,15 @@ public static class SAFEARRAY extends Structure implements Closeable {
 
         public static class ByReference extends SAFEARRAY implements
                 Structure.ByReference {
+
+            public ByReference() {
+                super();
+            }
+
+            public ByReference(Pointer pointer) {
+                super(pointer);
+            }
+
         }
 
         public USHORT cDims;
@@ -1316,12 +1325,46 @@ public FUNCDESC() {
         public FUNCDESC(Pointer pointer) {
             super(pointer);
             this.read();
+        }
+
+        @Override
+        public void read() {
+            // Read cParams first to know the correct array size for lprgelemdescParam
+            readField("cParams");
+            int paramCount = this.cParams.shortValue();
+
+            // Read most fields except lprgelemdescParam
+            for (String field : new String[]{
+                "memid", "lprgscode", "funckind", "invkind",
+                "callconv", "cParamsOpt", "oVft", "cScodes", "elemdescFunc", "wFuncFlags"}) {
+                readField(field);
+            }
 
-            if (this.cParams.shortValue() > 1) {
-                this.lprgelemdescParam.elemDescArg = new ELEMDESC[this.cParams
-                        .shortValue()];
-                this.lprgelemdescParam.read();
+            // Handle lprgelemdescParam specially based on paramCount
+            if (paramCount > 0) {
+                readField("lprgelemdescParam");
+                if (this.lprgelemdescParam != null) {
+                    this.lprgelemdescParam.elemDescArg = new ELEMDESC[paramCount];
+                    this.lprgelemdescParam.read();
+                }
             }
+            // When paramCount=0, don't read lprgelemdescParam to avoid reading garbage
+        }
+
+        @Override
+        public void write() {
+            // Write most fields except lprgelemdescParam
+            for (String field : new String[]{
+                "memid", "lprgscode", "funckind", "invkind",
+                "callconv", "cParams", "cParamsOpt", "oVft", "cScodes", "elemdescFunc", "wFuncFlags"}) {
+                writeField(field);
+            }
+
+            // Handle lprgelemdescParam specially based on cParams
+            if (this.cParams != null && this.cParams.shortValue() > 0) {
+                writeField("lprgelemdescParam");
+            }
+            // When cParams=0, don't write lprgelemdescParam
         }
     }
 
@@ -1398,14 +1441,10 @@ public static class ByReference extends _VARDESC implements
             public VARIANT.ByReference lpvarValue;
 
             public _VARDESC() {
-                setType("lpvarValue");
-                this.read();
             }
 
             public _VARDESC(Pointer pointer) {
                 super(pointer);
-                setType("lpvarValue");
-                this.read();
             }
 
             /**
@@ -1431,9 +1470,17 @@ public VARDESC() {
 
         public VARDESC(Pointer pointer) {
             super(pointer);
-            this._vardesc.setType("lpvarValue");
             this.read();
         }
+
+        @Override
+        public void read() {
+            readField("varkind");
+            if (_vardesc != null) {
+                _vardesc.setType(varkind.value == VARKIND.VAR_CONST ? "lpvarValue" : "oInst");
+            }
+            super.read();
+        }
     }
 
     @FieldOrder({"tdesc", "_elemdesc"})
@@ -1654,14 +1701,10 @@ public static class _TYPEDESC extends Union {
             public HREFTYPE hreftype;
 
             public _TYPEDESC() {
-                this.setType("hreftype");
-                this.read();
             }
 
             public _TYPEDESC(Pointer pointer) {
                 super(pointer);
-                this.setType("hreftype");
-                this.read();
             }
 
             public TYPEDESC.ByReference getLptdesc() {
@@ -1687,18 +1730,44 @@ public HREFTYPE getHreftype() {
         public VARTYPE vt;
 
         public TYPEDESC() {
-            this.read();
         }
 
         public TYPEDESC(Pointer pointer) {
             super(pointer);
-            this.read();
         }
 
         public TYPEDESC(_TYPEDESC _typedesc, VARTYPE vt) {
             this._typedesc = _typedesc;
             this.vt = vt;
         }
+
+        @Override
+        public void read() {
+            Pointer p = getPointer();
+            if (p == null) {
+                return;
+            }
+
+            // Read vt first to determine the correct union type
+            readField("vt");
+
+            // Set the union type based on vt discriminator
+            switch (vt.intValue()) {
+                case Variant.VT_PTR:
+                case Variant.VT_SAFEARRAY:
+                    _typedesc.setType("lptdesc");
+                    break;
+                case Variant.VT_CARRAY:
+                    _typedesc.setType("lpadesc");
+                    break;
+                case Variant.VT_USERDEFINED:
+                default:
+                    _typedesc.setType("hreftype");
+                    break;
+            }
+
+            super.read();
+        }
     }
 
     @FieldOrder({"dwReserved", "wIDLFlags"})
diff --git a/contrib/platform/test/com/sun/jna/platform/win32/OaIdlTest.java b/contrib/platform/test/com/sun/jna/platform/win32/OaIdlTest.java
