Segfault in X11DRV_DIB_BuildColorTable (DIB_PAL_COLORS)

Glenn Wurster gwurster at scs.carleton.ca
Wed Mar 23 15:26:52 CST 2005 

> I am experiencing a crash during startup of an application (The
> Rosetta Stone 2.0.7a) under Wine.  I reported this earlier on
> wine-users and after some debugging was advised to move to this list.


> I am using the latest Wine I built from CVS, after first encountering
> this problem in the 20050111 and 20050310 Gentoo ebuilds.  I have a
> Linux 2.6.11 system with glibc 2.3.4 20040808 (including nptl),
> Xorg-x11 6.8.2-rc2 (Trident Cyberblade/i1 "trident_drv.o") @1024x768
> 16bpp.  Also tried kernels 2.6.9 & 2.6.10 and 800x600 24bpp
> mode. Would appreciate any advice on how to proceed.

I have attached a patch below which may fix the problem.  Index is a
WORD but yet we only have 256 entries in the palette that we get from
GetPaletteEntries - if any of the values is more, we jump past the end
of pal_ents.  I've modified the function to allow access to all 65536
colour values and adjust for values that are beyond the range of valid
palette indexes.  The patch is completely untested but let me know if
it fixes the issue.

Glenn.


Index: dlls/x11drv/dib.c
===================================================================
RCS file: /home/wine/wine/dlls/x11drv/dib.c,v
retrieving revision 1.23
diff -u -r1.23 dib.c
--- dlls/x11drv/dib.c	1 Mar 2005 10:43:19 -0000	1.23
+++ dlls/x11drv/dib.c	23 Mar 2005 21:16:18 -0000
@@ -415,18 +415,25 @@
     else
     {
         HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL);
-        PALETTEENTRY pal_ents[256];
+	PALETTEOBJ * palPtr = GDI_GetObjPtr( hpal, PALETTE_MAGIC );
         WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize);
+	int entry;
 
-        GetPaletteEntries(hpal, 0, 256, pal_ents);
+	if( !palPtr ) return 0;
 
         for(i = 0; i < colors; i++, index++)
         {
-            colorTable[i].rgbRed = pal_ents[*index].peRed;
-            colorTable[i].rgbGreen = pal_ents[*index].peGreen;
-            colorTable[i].rgbBlue = pal_ents[*index].peBlue;
+	    if( *index > palPtr->logpalette.palNumEntries )
+		entry = palPtr->logpalette.palNumEntries;
+	    else
+		entry = *index;
+
+            colorTable[i].rgbRed = palPtr->logpalette.palPalEntry[entry].peRed;
+            colorTable[i].rgbGreen = palPtr->logpalette.palPalEntry[entry].peGreen;
+            colorTable[i].rgbBlue = palPtr->logpalette.palPalEntry[entry].peBlue;
             colorTable[i].rgbReserved = 0;
         }
+	GDI_ReleaseObj( hpal );
     }
     return colorTable;
 }

More information about the wine-devel mailing list