winclip 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f6d5df273deafae1f60beee563bf2c2e98b1485f858be569b2201e35eedf91c1
-  data.tar.gz: acd8ef65e6cc2b4435ddbc36be9af15fdc4cf8717f05f39d961319bf32132175
+  metadata.gz: c0b25c458e941f65768b07785e50fd7ee61591ba4fc40dd7fe6571bba6454ab7
+  data.tar.gz: 6465565e678f37e773aba98def6cc4b4f13eaa190441c9017225d24f0c7740be
 SHA512:
-  metadata.gz: 9570a2bc063aa31b16d252d04465a5d03deea83e7d8f9e0a86a7c2ce1c9e38801038e6d1e9d2ab12d3f405703d23bb9f467814cd4f546549a8ca86ab51bcdcb4
-  data.tar.gz: 80080336d80b9de4d1630f6c47a3a6b99d5ed1eb4be6b19f64b12a6c4d046f5e6d8381268bce45a9813f751a006de28cac0d3cebc8e4682bc2ccd1fa85acae9d
+  metadata.gz: 94c890ec8e6fb145bed87ea71ecbf2c08512435903e343eb128aed777b554eebf42f18c46e4477d887f718ebe8b9f0fb17d60bcdf2d7a47297f9eb3205fe038f
+  data.tar.gz: 90702bfc96e92607e6599ea310b562112107542cac28d75789591f70e887f59be36eaefad893d9d3ed1967a6266b9a28fcd4ffd9e90ff2be5b4ad1642a726017

data/CHANGELOG.md

@@ -6,6 +6,43 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.1] - 2026-06-27
+
+### Fixed
+- **Intermittent heap-corruption crash (silent `SIGSEGV`) when using the image
+  clipboard.** `Winclip.image` and `Winclip.image=` raised their Ruby exceptions
+  (`rb_raise`, which uses `longjmp`) from inside a function frame that also
+  carried C++ exception-handling state — a `std::vector` and a `try`/`catch`
+  around the WIC decode. On MSVC/x64 that `longjmp` unwinds through the frame and
+  corrupts the C++ unwind bookkeeping, poisoning the process heap; the corruption
+  detonated later in an unrelated allocation (often the next exception raise) as a
+  `STATUS_HEAP_CORRUPTION` with no Ruby `[BUG]` dump — so it surfaced as an
+  occasional truncated/aborted run (~2 of 3) rather than a counted test failure.
+  All C++/exception-handling work now lives in helper functions; the Ruby-facing
+  image methods are plain POD frames that `rb_raise` can unwind safely. Verified
+  with a stress harness: the previously ~98%-fatal reject path now runs 0 crashes
+  across hundreds of invocations, and the full suite is stable across randomized
+  ordering. Added `test/test_com_stability.rb` covering the reject path and image
+  round-trips.
+
+### Changed
+- COM/WIC is now initialized once per process instead of an apartment
+  init/teardown on every image call — robustness hardening that removes
+  needless per-call STA churn (not the cause of the crash above, but flagged
+  alongside it).
+
+### Security / robustness
+- Hardened untrusted-DIB pixel-offset handling in `Winclip.image`: the colour-
+  mask gap after a 40-byte `BITMAPINFOHEADER` is now also accounted for under
+  `BI_ALPHABITFIELDS` (4 masks), not only `BI_BITFIELDS` (3 masks), so pixels are
+  located correctly when the OS does not synthesize a `CF_DIBV5` (e.g. some
+  remote-desktop clipboards) and only a raw `CF_DIB` is present.
+- The BGRA row stride (`width * 4`) handed to WIC is now computed and bounds-
+  checked in 64-bit, rejecting absurd widths instead of letting a 32-bit
+  multiply wrap. Both are defensive (bounded, never a heap over-read in prior
+  versions); they keep a malformed/hostile clipboard image decoding correctly or
+  failing cleanly rather than producing a wrong image.
+
 ## [0.1.0] - 2026-05-30
 
 ### Added
@@ -27,5 +64,6 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
   returns `nil` rather than raising. Image size math is 64-bit (no overflow).
 - `available?(name)` resolves custom format names without registering them.
 
-[Unreleased]: https://github.com/main-path/winclip/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/main-path/winclip/compare/v0.1.1...HEAD
+[0.1.1]: https://github.com/main-path/winclip/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/main-path/winclip/releases/tag/v0.1.0

data/ext/winclip/winclip.cpp

@@ -32,8 +32,34 @@
 #include <cstring>
 #include <cstdint>
 
+#ifndef BI_ALPHABITFIELDS
+#define BI_ALPHABITFIELDS 6   /* 40-byte header + 4 colour masks (R,G,B,A) */
+#endif
+
 static VALUE eWinclipError; /* Winclip::Error */
 
+/* ---------- COM lifetime -------------------------------------------------
+ * WIC runs inside an initialized COM apartment. We initialize the STA ONCE for
+ * the life of the process and never CoUninitialize between calls, instead of the
+ * old per-call CoInitializeEx/CoUninitialize pair: repeatedly creating and
+ * finalizing an apartment around a process-global WIC factory is needless churn,
+ * and a single long-lived apartment is the standard model for an in-process WIC
+ * consumer. (This is robustness hardening. The intermittent heap-corruption
+ * crash itself was a separate bug — rb_raise unwinding through a C++ EH frame —
+ * fixed via the C++/EH-confining wc_*_image helpers below, not here.) A plain
+ * static flag is safe: every Ruby-facing method runs under the GVL on the main
+ * thread. */
+static void wc_ensure_com(void) {
+    static bool com_inited = false;
+    if (com_inited) return;
+    /* S_OK (we initialized it), S_FALSE (already STA) and RPC_E_CHANGED_MODE
+     * (thread already MTA) are all acceptable — WIC's in-proc objects work in
+     * either apartment model. We deliberately never pair this with
+     * CoUninitialize. */
+    CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
+    com_inited = true;
+}
+
 /* ---------- UTF-8 <-> UTF-16 (LocalAlloc'd results) ---------------------- */
 
 static wchar_t *utf8_to_utf16(const char *utf8, int len /* -1 = NUL-terminated */) {
@@ -317,9 +343,20 @@ static HRESULT clip_get_image(std::vector<BYTE> &outPng) {
         hh = (UINT)(rawH < 0 ? -rawH : rawH);
         if (w == 0 || hh == 0) throw E_FAIL;
         if (biSize < sizeof(BITMAPINFOHEADER) || biSize > dibSize) throw E_FAIL;
-
+        /* The BGRA stride (w*4) is handed to WIC's WritePixels as a UINT and is
+         * used as a row stride below; reject widths whose stride would not fit a
+         * 32-bit UINT so the `w * 4` expressions can never wrap. */
+        if ((uint64_t)w * 4 > 0xFFFFFFFFu) throw E_FAIL;
+
+        /* Locate the pixel array. For a plain 40-byte BITMAPINFOHEADER the colour
+         * masks sit between the header and the pixels: 3 DWORDs for BI_BITFIELDS,
+         * 4 for BI_ALPHABITFIELDS. V4/V5 headers (biSize >= 108) embed their masks,
+         * so no gap is added for them. */
         SIZE_T pixOffset = biSize;
-        if (comp == BI_BITFIELDS && biSize == sizeof(BITMAPINFOHEADER)) pixOffset += 3 * sizeof(DWORD);
+        if (biSize == sizeof(BITMAPINFOHEADER)) {
+            if (comp == BI_BITFIELDS)           pixOffset += 3 * sizeof(DWORD);
+            else if (comp == BI_ALPHABITFIELDS) pixOffset += 4 * sizeof(DWORD);
+        }
         if (pixOffset > dibSize) throw E_FAIL;
         BYTE *pixels = dib + pixOffset;
         SIZE_T pixBytes = dibSize - pixOffset;
@@ -360,7 +397,47 @@ static HRESULT clip_get_image(std::vector<BYTE> &outPng) {
     GlobalUnlock(h);
     CloseClipboard();
     if (FAILED(hr)) return hr;
-    return bgra_to_png(bgra.data(), w, hh, w * 4, outPng);
+    return bgra_to_png(bgra.data(), w, hh, (UINT)((uint64_t)w * 4), outPng);
+}
+
+/* ---------- image: C++/EH-confining wrappers ----------------------------
+ * The image paths use std::vector and try/catch, which make their enclosing
+ * function carry MSVC C++ exception-handling unwind state. rb_raise unwinds via
+ * setjmp/longjmp, and on x64 MSVC that longjmp runs frame cleanup as it goes;
+ * letting it unwind THROUGH a frame that owns C++ EH state corrupts the unwind
+ * bookkeeping and poisons the heap (a later allocation then dies with a silent
+ * STATUS_HEAP_CORRUPTION). So all C++ work is confined to these helpers, which
+ * NEVER call into Ruby; the Ruby-facing wc_*_image frames below stay pure POD
+ * (no destructors, no try/catch) and are the only ones that rb_raise. */
+
+/* 0 = ok (result in *hr), 1 = C++ exception (e.g. bad_alloc). Never raises. */
+static int set_image_guarded(const BYTE *png, size_t len, HRESULT *hr) {
+    try {
+        std::vector<BYTE> in(png, png + len);
+        *hr = clip_set_image(in.data(), in.size());
+    } catch (...) {
+        return 1;
+    }
+    return 0;
+}
+
+/* 0 = ok (*out is a LocalAlloc'd PNG buffer of *outlen bytes, caller LocalFree's),
+ * 1 = C++ exception, 2 = absent/undecodable. Never raises. */
+static int get_image_guarded(BYTE **out, size_t *outlen, HRESULT *hr) {
+    *out = NULL; *outlen = 0;
+    std::vector<BYTE> png;
+    try {
+        *hr = clip_get_image(png);
+    } catch (...) {
+        return 1;
+    }
+    if (FAILED(*hr)) return 2;
+    size_t n = png.size();
+    BYTE *buf = (BYTE *)LocalAlloc(LMEM_FIXED, n ? n : 1);
+    if (!buf) return 1;
+    if (n) memcpy(buf, png.data(), n);
+    *out = buf; *outlen = n;
+    return 0;
 }
 
 /* ---------- format names ------------------------------------------------ */
@@ -453,38 +530,34 @@ static VALUE wc_get_image(VALUE self) {
     if (!IsClipboardFormatAvailable(CF_DIBV5) && !IsClipboardFormatAvailable(CF_DIB))
         return Qnil;
 
-    HRESULT cohr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
-    bool com_owned = (cohr == S_OK || cohr == S_FALSE);
+    wc_ensure_com();   /* one process-lifetime STA; never CoUninitialize'd */
 
-    std::vector<BYTE> png;
-    HRESULT hr = E_FAIL;
-    bool threw = false;
-    try { hr = clip_get_image(png); }
-    catch (...) { threw = true; } /* e.g. bad_alloc in bgra_to_png (clipboard already closed) */
-    if (com_owned) CoUninitialize();
+    /* Pure-POD frame: all C++/EH is inside get_image_guarded, so the rb_raise
+     * below never unwinds through a frame carrying C++ exception state. */
+    BYTE *buf = NULL; size_t buflen = 0; HRESULT hr = E_FAIL;
+    int rc = get_image_guarded(&buf, &buflen, &hr);
 
-    if (threw) rb_raise(eWinclipError, "winclip: out of memory decoding the clipboard image");
+    if (rc == 1) rb_raise(eWinclipError, "winclip: out of memory decoding the clipboard image");
     /* Format present but not decodable (palettized / malformed) -> nil, matching
      * the "getters return nil when there's no usable content" contract. */
-    if (FAILED(hr)) return Qnil;
+    if (rc == 2) return Qnil;
 
-    VALUE s = rb_str_new((char *)png.data(), (long)png.size());
+    VALUE s = rb_str_new((char *)buf, (long)buflen);
+    LocalFree(buf);
     rb_enc_associate(s, rb_ascii8bit_encoding());
     return s;
 }
 
 static VALUE wc_set_image(VALUE self, VALUE png) {
     StringValue(png);
-    HRESULT cohr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
-    bool com_owned = (cohr == S_OK || cohr == S_FALSE);
+    wc_ensure_com();   /* one process-lifetime STA; never CoUninitialize'd */
 
+    /* Pure-POD frame: the byte-vector and try/catch live in set_image_guarded so
+     * the rb_raise calls below never unwind through a C++ EH frame. */
+    const BYTE *p = (const BYTE *)RSTRING_PTR(png);
+    size_t n = (size_t)RSTRING_LEN(png);
     HRESULT hr = E_FAIL;
-    bool threw = false;
-    try {
-        std::vector<BYTE> in((BYTE *)RSTRING_PTR(png), (BYTE *)RSTRING_PTR(png) + RSTRING_LEN(png));
-        hr = clip_set_image(in.data(), in.size());
-    } catch (...) { threw = true; } /* e.g. bad_alloc decoding a huge PNG (no clipboard held) */
-    if (com_owned) CoUninitialize();
+    int threw = set_image_guarded(p, n, &hr);
 
     if (threw) rb_raise(eWinclipError, "winclip: out of memory encoding the clipboard image");
     if (FAILED(hr))

data/lib/winclip/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Winclip
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: winclip
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - ned