[Bug 47726] New: too many fonts cause memory corruption in Post Mortem and Still Life, need some limiting

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Sep 3 05:08:19 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=47726

            Bug ID: 47726
           Summary: too many fonts cause memory corruption in Post Mortem
                    and Still Life, need some limiting
           Product: Wine
           Version: 4.15
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdi32
          Assignee: wine-bugs at winehq.org
          Reporter: zakarjor at yahoo.com
      Distribution: ---

I upgraded to Fedora 30 x86_64, and I now have a lot more fonts (lots of
multilingual fonts) than before.

When starting Post Mortem or Still Life, I get the following error:

wine: Unhandled page fault on read access to 0x3235363d at address 0x24036828
(thread 0009), starting debugger...

Running with WINEDEBUG=warn+heap I get
0009:Call msvcrt.??@YAPAXI at Z(0000ffff) ret=2429ef15
0009:Call ntdll.RtlAllocateHeap(00410000,00000000,0000ffff) ret=7e558363
...
0009:Call msvcrt.??@YAPAXI at Z(00000000) ret=2429ef15
0009:Call ntdll.RtlAllocateHeap(00410000,00000000,00000000) ret=7e558363
0009:Call ntdll.RtlAllocateHeap() retval=00480270 ret=7e558363
...
0009:Call ntdll.RtlFreeHeap(00410000,00000000,00480270) ret=7e55842a
0009:err:heap:HEAP_ValidateInUseArena Heap 0x410000: block 0x480270 tail
overwritten at 0x480270 (byte 0/24 == 0x33)

The register eax is supposed to be an address but looks like part of a font
name in ASCII. 

After going thru debugger, I found that there is a bug/limitation of string
size of 64KB, and when the list of font names is just below 64KB (0xffff), and
then appends one character, it goes over 64KB, but wraps around the size to 0
byte, which causes the memory corruption.

It would be nice to have gdi font module to limit the number of fonts to return
to the caller, or have some way to filter the type of fonts to return (like
don't return any Linux fonts), which should be consistent with Windows
environment.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list