request to look into this bug

Louis. Lenders xerox_xerox2000 at yahoo.co.uk
Fri Mar 30 12:58:09 CDT 2007


Hi, while working through the test reports in the appdb, i saw users submitting  crashes  with  applications  , all  similar to bug 7380, so i decided to take it here. The applications that crash are
*WinMerge (newest version)
*BookWorms Adventures + several other PopCap games ( i tested them)
*5 other applications listed under bug 7380.

So i know of at least 10 applications that crash this way. They all start fine using the "buggy pointer" patch from Rein Klazes below. However, i think it's becoming rahter strange that  all these (just released!) applications pass  buggy pointers, so i'm beginning to think the problem must be somewhere else. I've sent in a patch to work around this bug by an exception handler a few weeks ago, but that's likely not the way to go either then. Anyone an idea how to tackle this problem? Thanks.



diff --git a/dlls/winex11.drv/dib.c b/dlls/winex11.drv/dib.c
index cec2058..4e61da4 100644
--- a/dlls/winex11.drv/dib.c
+++ b/dlls/winex11.drv/dib.c
@@ -3861,6 +3861,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
   X11DRV_DIB_IMAGEBITS_DESCR descr;
   BITMAP bitmap;
   LONG width, height, tmpheight;
+  int nrsrcbytes, dibpitch;
   INT result;

   descr.physDev = physDev;
@@ -3880,6 +3881,17 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph

   if (startscan + lines > height) lines = height - startscan;

+
+  /* pointer check */
+  dibpitch  = ((width * descr.infoBpp + 23) &~23) / 8;
+  if( descr.compression)
+      nrsrcbytes = 1;
+  else {
+      nrsrcbytes = lines * dibpitch;
+      if( nrsrcbytes < 0) nrsrcbytes = - nrsrcbytes;
+  }
+  if( IsBadReadPtr( bits, nrsrcbytes)) return 0;
+
   switch (descr.infoBpp)
   {
        case 1:
@@ -3926,7 +3938,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
   descr.width     = bitmap.bmWidth;
   descr.height    = lines;
   descr.useShm    = FALSE;
-  descr.dibpitch  = ((descr.infoWidth * descr.infoBpp + 31) &~31) / 8;
+  descr.dibpitch  = dibpitch;
   X11DRV_DIB_Lock( physBitmap, DIB_Status_GdiMod, FALSE );
   result = X11DRV_DIB_SetImageBits( &descr );
   X11DRV_DIB_Unlock( physBitmap, TRUE );

 
 		
---------------------------------
 New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winehq.org/pipermail/wine-devel/attachments/20070330/8f0ed538/attachment.html


More information about the wine-devel mailing list