PATCH: olefont memory corruption

Marcus Meissner marcus at jet.franken.de
Sun Aug 19 11:37:50 CDT 2001 

Hi,

I spent another 5 hours looking for a strange memory corruption, which turned
out to be heap memory that was freed multiple times.

The problem in this case was the too simple implementation of IFont_Clone().

Ciao, Marcus

Changelog:
	We need to make a copy of the fontname and the HFONT handle in
	IFont_Clone, otherwise we get memory corruption and bad GDI handles.

Index: olefont.c
===================================================================
RCS file: /home/wine/wine/dlls/oleaut32/olefont.c,v
retrieving revision 1.11
diff -u -r1.11 olefont.c
--- olefont.c	2001/07/24 00:59:28	1.11
+++ olefont.c	2001/08/19 16:40:04
@@ -951,6 +953,9 @@
   IFont** ppfont)
 {
   OLEFontImpl* newObject = 0;
+  LOGFONTW logFont;
+  INT      fontHeight;
+  CY       cySize;
   _ICOM_THIS(OLEFontImpl, iface);
   TRACE("(%p)->(%p)\n", this, ppfont);
 
@@ -969,9 +974,38 @@
 
   *newObject = *this;
 
-  /*
-   * That new object starts with a reference count of 1
+  /* We need to alloc new memory for the string, otherwise
+   * we free memory twice.
    */
+  newObject->description.lpstrName = HeapAlloc(
+	GetProcessHeap(),0,
+	(1+strlenW(this->description.lpstrName))*2
+  );
+  /* We need to clone the HFONT too. This is just cut & paste from above */
+  IFont_get_Size(iface, &cySize);
+
+  fontHeight = MulDiv(cySize.s.Lo, 2540L, 72L);
+  fontHeight = MulDiv(fontHeight, this->cyLogical,this->cyHimetric);
+
+  memset(&logFont, 0, sizeof(LOGFONTW));
+
+  logFont.lfHeight          = ((fontHeight%10000L)>5000L) ? (-fontHeight/10000L)-1 :
+							    (-fontHeight/10000L);
+  logFont.lfItalic          = this->description.fItalic;
+  logFont.lfUnderline       = this->description.fUnderline;
+  logFont.lfStrikeOut       = this->description.fStrikethrough;
+  logFont.lfWeight          = this->description.sWeight;
+  logFont.lfCharSet         = this->description.sCharset;
+  logFont.lfOutPrecision    = OUT_CHARACTER_PRECIS;
+  logFont.lfClipPrecision   = CLIP_DEFAULT_PRECIS;
+  logFont.lfQuality         = DEFAULT_QUALITY;
+  logFont.lfPitchAndFamily  = DEFAULT_PITCH;
+  strcpyW(logFont.lfFaceName,this->description.lpstrName);
+
+  newObject->gdiFont = CreateFontIndirectW(&logFont);
+
+
+  /* The cloned object starts with a reference count of 1 */
   newObject->ref          = 1;
 
   *ppfont = (IFont*)newObject;

More information about the wine-patches mailing list