patch for dlls/gdi32/dib.c: fixes crash

Wolfgang Walter wine at stwm.de
Wed Jul 27 10:44:58 CDT 2011


Hello,

an application started to crash with recent versions of wine:

err:seh:setup_exception_record stack overflow 820 bytes in thread 0039 eip 7bc80a06 esp 00240ffc stack

I bisected it down to commit 

6ce6f890bef2257af50a78e7deee86bdce052189 is the first bad commit
commit 6ce6f890bef2257af50a78e7deee86bdce052189
Author: Huw Davies <huw at codeweavers.com>
Date:   Fri Jul 22 15:09:58 2011 +0100

    gdi32: Add a helper to sanitize a BITMAPINFO structure.

:040000 040000 b6325072f7f3139321547d96568aa1177b1ed69a 4c949357226436c1e93c06b629a3471db75bc5e4 M      dlls


This patch fixes the problem:

diff --git a/dlls/gdi32/dib.c b/dlls/gdi32/dib.c
index f7b9037..d544598 100644
--- a/dlls/gdi32/dib.c
+++ b/dlls/gdi32/dib.c
@@ -504,10 +504,8 @@ INT WINAPI SetDIBits( HDC hdc, HBITMAP hbitmap, UINT startscan,
     BOOL delete_hdc = FALSE;
     PHYSDEV physdev;
     BITMAPOBJ *bitmap;
-    char src_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
-    BITMAPINFO *src_info = (BITMAPINFO *)src_bmibuf;
-    char dst_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
-    BITMAPINFO *dst_info = (BITMAPINFO *)dst_bmibuf;
+    BITMAPINFO *src_info = 0;
+    BITMAPINFO *dst_info = 0;
     INT result = 0;
     DWORD err;
     struct gdi_image_bits src_bits;
@@ -538,6 +536,11 @@ INT WINAPI SetDIBits( HDC hdc, HBITMAP hbitmap, UINT startscan,
         return 0;
     }
 
+    if(!(src_info = HeapAlloc( GetProcessHeap(), 0, FIELD_OFFSET( BITMAPINFO, bmiColors[256] ) ))) {
+        SetLastError( ERROR_OUTOFMEMORY );
+        goto done;
+    }
+
     if (!bitmapinfo_from_user_bitmapinfo( src_info, info, coloruse )) goto done;
 
     if (coloruse == DIB_PAL_COLORS)
@@ -603,6 +606,10 @@ INT WINAPI SetDIBits( HDC hdc, HBITMAP hbitmap, UINT startscan,
     dst.width  = dst.visrect.right - dst.visrect.left;
     dst.height = dst.visrect.bottom - dst.visrect.top;
 
+    if(!(dst_info = HeapAlloc( GetProcessHeap(), 0, FIELD_OFFSET( BITMAPINFO, bmiColors[256] ) ))) {
+        SetLastError( ERROR_OUTOFMEMORY );
+        goto done;
+    }
     memcpy( dst_info, src_info, FIELD_OFFSET( BITMAPINFO, bmiColors[256] ));
 
     err = physdev->funcs->pPutImage( physdev, hbitmap, clip, dst_info, &src_bits, &src, &dst, 0 );
@@ -629,6 +636,8 @@ INT WINAPI SetDIBits( HDC hdc, HBITMAP hbitmap, UINT startscan,
     if(err) result = 0;
 
 done:
+    HeapFree( GetProcessHeap(), 0, dst_info);
+    HeapFree( GetProcessHeap(), 0, src_info);
     if (src_bits.free) src_bits.free( &src_bits );
     if (clip) DeleteObject( clip );
     GDI_ReleaseObj( hbitmap );


Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts



More information about the wine-patches mailing list