[Bug 47726] too many fonts cause memory corruption in Post Mortem and Still Life, need some limiting

[wine-bugs at winehq.org]

https://bugs.winehq.org/show_bug.cgi?id=47726

--- Comment #2 from Zachary J <zakarjor at yahoo.com> ---
(In reply to Nikolay Sivov from comment #1)
> How exactly does this application ask for such names?

0009: Call gdi32.EnumFontFamiliesA(00120051,00000000,2538e4b0,0034f510)
ret=2538e71d

then some loops of LdrAccessRessource() and LdrFindResource_U(), then lots of
repeated loops with calls of pairs of msvcrt.??@YAPAXI at Z() and
ntdll.RtlAllocateHeap(00041000,00000000,000000XX), msvcrt.??@YAXPAX at Z(XXXXXXXX)
and ntdll.RtlFreeHeap(00410000,00000000,XXXXXXXX) with increasing size (3rd
parameter) in ntdll.RtlAllocateHeap(), before eventually page fault after
allocating with size 0000ffff and then subsequently allocating with size
0000000 (which is smaller than 0000ffff) as shown in my previous comment.

So it looks like it's calling EnumFontFamiliesA() with a custom callback
function, which seems to append font names into a string, every time resizing
the string by allocating new larger string, copying over old string to new
string, then deleting the old string.

I checked the wine source and EnumFontFamiliesA() eventually calls
freetype_EnumFonts() in dlls/gdi32/freetype.c, which seems to indicate there is
a way to filter the list of font names by character set.

I wonder if this is something I can do now. How do I make the function only
send US ASCII fonts?

Currently I have en_US.utf8 character set, and I guess that's why it sends
names of all the multilingual fonts. I've tried setting LANG=C but that didn't
help.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.