wine3d3: Check the destination recangle when for FastBlt().
Peter Dons Tychsen
donpedro at tdcadsl.dk
Mon Jul 30 15:18:42 CDT 2007
On Sun, 2007-07-29 at 23:08 +0200, Stefan Dösinger wrote:
> Am Sonntag, 29. Juli 2007 21:28 schrieb Peter Dons Tychsen:
> > Hello Wine!
> > I have fixed a small bug in FastBlt(), which caused Wine to crash if the
> > application tried to do FastBlt() to a surface using a bad destination
> > setup. The problem is already fixed in normal Blt(), but was broken for
> > FastBlt().
> > This fixes a crash for the little game "Treasure Mole Winter Vacations":
> This check should be in ddraw, not wined3d. ddraw, d3d8 and d3d9 have
> different ideas about such checks, that's why the check was moved from
> WineD3D to the client libs. Originally it was in LockRect, and when it was
> moved the check was lost in Blt and BltFast. There should be a check in ddraw
> already, maybe it is not sufficient.
> Also please write a test case to verify that the fix is correct(look at
> dlls/ddraw/tests/dsurface.c). This will also prevent the problem from coming
> back. Treasure Mole broke after the ddraw rewrite because exactly this check
> was missing. I implemented it in LockRect, like in old ddraw, but I forgot to
> write a test for BltFast. Then a d3d9 game was broken because d3d9 LockRect
> behaved differently, a test was written for Lock(Rect) in ddraw, d3d8 and
> d3d9, and the range check moved to ddraw, d3d8 and d3d9 to be able to
> implement different checking in each version. Since I forgot to write a test
> when I originally fixed Treasure Mole the bug could creep back in again :-(
Thanks for your comments Stefan,
I have taken another look at it. I still think this specific problem
should be fixed in wined3d. The problem occurs because BltFast (ddraw,
d3d and d3d-gdi) all take two DWORDs as the offset write position, and
then later casts them into a RECT structure which has signed values.
This must for any caller be considered an error. No caller could get
anything useful out of this.
lock_dst.left = dstx; <--- bad cast!
lock_dst.top = dsty; <--- bad cast!
lock_dst.right = dstx + w; <--- bad cast!
lock_dst.bottom = dsty + h; <--- bad cast!
Why does this not trigger a warning? Not sure.
I can still move the fix to ddraw, but as said, i am not sure it's the
More information about the wine-patches