wine3d3: Check the destination recangle when for FastBlt().
Stefan Dösinger
stefandoesinger at gmx.at
Tue Jul 31 08:30:11 CDT 2007
> I have taken another look at it. I still think this specific problem
> should be fixed in wined3d. The problem occurs because BltFast (ddraw,
> d3d and d3d-gdi) all take two DWORDs as the offset write position, and
> then later casts them into a RECT structure which has signed values.
> This must for any caller be considered an error. No caller could get
> anything useful out of this.
> lock_dst.left = dstx; <--- bad cast!
> lock_dst.top = dsty; <--- bad cast!
> lock_dst.right = dstx + w; <--- bad cast!
> lock_dst.bottom = dsty + h; <--- bad cast!
>
> Why does this not trigger a warning? Not sure.
Indeed this does not sound right. The unsigned to signed assignment doesn't
look right. However, a problem should only occur if the highest bit of the
DWORD is set, in which case this would be a very high value and would exeed
the surface dimensions. Such a huge surface can't be created without
exceeding the 2 GB userland VM size. Most likely the check in
dlls/ddraw/surface.c, line 2067 runs into a signedness issue too.
More information about the wine-devel
mailing list