[Bug 23849] Hofmann photo album app has access violation dialog during startup

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jul 31 06:10:06 CDT 2010 

http://bugs.winehq.org/show_bug.cgi?id=23849


Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dotnet
                 CC|                            |focht at gmx.net
          Component|-unknown                    |gdi32




--- Comment #1 from Anastasius Focht <focht at gmx.net>  2010-07-31 06:09:59 ---
Hello,

well it's a stupid app bug.
The app uses gdi32 font API incorrectly while trying to load (embedded) fonts
from its resources.

+tid,+seh,+font,+relay:

--- snip ---
...
0047:Call gdi32.AddFontMemResourceEx(00199050,00055fe1,00000000,00000001)
ret=0036a1c3
0047:trace:font:WineEngAddFontMemResourceEx Copying 352225 bytes of data from
0x199050 to 0x4cd9030
0047:trace:font:AddFontToList Loading font from ptr 0x4cd9030 size 352225,
index 0
0047:trace:font:get_familyname Got localised name L"Arial"
0047:trace:font:AddFontToList fsCsb = 400001ff ffff0000/00007a87 80000000
00000008 00000000
0047:trace:font:AddFontToList Added font L"Arial" L"Bold"
0047:trace:seh:raise_exception code=c0000005 flags=0 addr=0x201d327a
ip=201d327a tid=0047
0047:trace:seh:raise_exception  info[0]=00000001
0047:trace:seh:raise_exception  info[1]=00000001
0047:trace:seh:raise_exception  eax=00000001 ebx=2020422c ecx=00000000
edx=00000001 esi=04cd9030 edi=20207f20
0047:trace:seh:raise_exception  ebp=0032ea38 esp=0032ea00 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0047:trace:seh:call_vectored_handlers calling handler at 0x57ca3120
code=c0000005 flags=0
0047:trace:seh:call_vectored_handlers handler at 0x57ca3120 returned 0
0047:trace:seh:call_stack_handlers calling handler at 0x79fcc9ae code=c0000005
flags=0  
--- snip ---

The app managed callstack:

--- snip ---
2010-07-31 10:18:51,512 [1] ERROR DigitalAlbum - SplashForm -> Set Font
System.AccessViolationException: Attempted to read or write protected memory.
This is often an indication that other memory is corrupt.
   at HofmannDigital.HelperFont.AddFontMemResourceEx(IntPtr pbFont, Int32
cbFont, Int32 pdv, Int32 pcFonts)
   at HofmannDigital.HelperFont.GetEmbeddedFonts()
   at HofmannDigital.HelperFont.LoadEmbeddedFonts()
   at HofmannDigital.HelperFont.GetPrivateFontFamily(String familyName)
   at HofmannDigital.HelperFont.CreatePrivateFont(String familyName, Single
emSize, FontStyle style)
   at HofmannDigital.Helper.CreateFont(String familyName, Single emSize,
FontStyle style, GraphicsUnit unit, Byte gdiCharSet)
   at HofmannDigital.SplashForm.Initialize()
2010-07-31 10:18:51,527 [1] ERROR DigitalAlbum - SplashForm.Initialize 
--- snip ---

The app's P/Invoke signature for gdi32.AddFontMemResourceEx() is wrong:

HofmannDigital.HelperFont.AddFontMemResourceEx(IntPtr pbFont, Int32 cbFont,
Int32 pdv, Int32 pcFonts)

Wine:

--- snip dlls/gdi32/freetype.c ---
HANDLE WineEngAddFontMemResourceEx(PVOID pbFont, DWORD cbFont, PVOID pdv, DWORD
*pcFonts)
--- snip dlls/gdi32/freetype.c ---

P/Invoke signature from:
http://www.pinvoke.net/default.aspx/gdi32.addfontmemresourceex

--- snip ---
[DllImport("gdi32.dll", ExactSpelling=true)]
private static extern IntPtr AddFontMemResourceEx(byte[] pbFont, int cbFont,
IntPtr pdv, out uint pcFonts)
--- snip ---

The App isn't passing pcFonts as out/ref param but as value (probably
initialized cFonts = 1 on its own). The compiler wont tell you that mistake due
to incorrect P/Invoke signature.

Not sure if Wine should fix such stupid apps/mistakes. Adding an SEH to
dlls/gdi32/freetype.c:WineEngAddFontMemResourceEx() seems like an overkill as
the found fonts count assigment is done _after_ the font(s) have already been
added.

Better would be a write ptr probing before doing any work (call to
AddFontToList()).
There is nothing mentioned regarding the validation of these parameters in MSDN
so this needs a test (NULL pcFonts, invalid pcFonts ptr -> 0xdeadbeef).

While you're at it the return values in error cases should be more consistent
(NULL vs. 0).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list