[PATCH 5/5] user32: Correctly calculate the client size of a minimized window.

Zebediah Figura z.figura12 at gmail.com
Thu Dec 21 09:36:32 CST 2017 

On 12/21/2017 09:22 AM, Alexandre Julliard wrote:
> Zebediah Figura <z.figura12 at gmail.com> writes:
> 
>> Signed-off-by: Zebediah Figura <z.figura12 at gmail.com>
>> ---
>> This mitigates an intermittent failure in the tests for LockWindowUpdate() on
>> the testbot, reducing it from a crash to a normal failure. For as-yet
>> undetermined reasons, the test window is being minimized, causing GetPixel()
>> to attempt to access memory around (-32000,-32000) pixels outside of the
>> window's actual bitmap.
> 
> No matter how screwed up the window position may be, it shouldn't access
> memory outside of the bitmap. Any chance you could write a test
> reproducing this crash?
> 

Sure. I've attached a simple test program that creates a window,
minimizes it, and tries to get the pixel at (10,10). On my machine this
crashes with the backtrace below. dibdrv_GetPixel() only appears to test
whether the requested pixel is within the bounds of the DIB rect
relative to the position of the DIB rect, so it doesn't prevent this.

window: (-32000,-32000)-(-31968,-31968)
client: (0,0)-(32,32)
wine: Unhandled page fault on read access to 0x7e0c769c at address
0x7ebfa5fd (thread 0009), starting debugger...
Unhandled exception: page fault on read access to 0x7e0c769c in 32-bit
code (0x7ebfa5fd).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7ebfa5fd ESP:0061fcac EBP:0061fce8 EFLAGS:00010207(  R- --  I   - -P-C)
 EAX:7e4aec9c EBX:0000000a ECX:001287b4 EDX:ffc18a00
 ESI:001287b4 EDI:001287a8
Stack dump:
0x0061fcac:  7ebf1750 001287b4 0000000a 0000000a
0x0061fcbc:  7b63a000 0000000a 0000000a 0000000a
0x0061fccc:  70a93e00 00126d88 00010010 7ebf167b
0x0061fcdc:  0011d5f0 0000000a 001283d8 0061fd08
0x0061fcec:  7ebec9b3 001287a8 0000000a 0000000a
0x0061fcfc:  7ebec9f5 0000000a 0000000a 0061fd38
Backtrace:
=>0 0x7ebfa5fd get_pixel_32+0x1d(dib=<is not available>, x=<is not
available>, y=<is not available>)
[/home/hazel/git/wine32/dlls/gdi32/../../../wine/dlls/gdi32/dibdrv/primitives.c:2009]
in gdi32 (0x0061fce8)
  1 0x7ebf1750 dibdrv_GetPixel+0xdf(dev=0x1287a8, x=0xa, y=0xa)
[/home/hazel/git/wine32/dlls/gdi32/../../../wine/dlls/gdi32/dibdrv/graphics.c:1123]
in gdi32 (0x0061fce8)
  2 0x7ebec9b3 windrv_GetPixel+0x62(dev=<is not available>, x=0xa,
y=0xa)
[/home/hazel/git/wine32/dlls/gdi32/../../../wine/dlls/gdi32/dibdrv/dc.c:793]
in gdi32 (0x0061fd08)
  3 0x7ec562b7 GetPixel+0x66(hdc=<couldn't compute location>,
x=<couldn't compute location>, y=<couldn't compute location>)
[/home/hazel/git/wine32/dlls/gdi32/../../../wine/dlls/gdi32/painting.c:495]
in gdi32 (0x0061fd38)
  4 0x004016fe in gptest (+0x16fd) (0x0061fdc8)
  5 0x0040291d in gptest (+0x291c) (0x0061fde8)
  6 0x004013e2 in gptest (+0x13e1) (0x0061fec0)
  7 0x7b461f8c call_process_entry+0xb() in kernel32 (0x0061fed8)
  8 0x7b463892 start_process+0x111(entry=<couldn't compute location>,
peb=<couldn't compute location>)
[/home/hazel/git/wine32/dlls/kernel32/../../../wine/dlls/kernel32/process.c:1139]
in kernel32 (0x0061ffd8)
  9 0x7b461f9a start_process_wrapper+0x9() in kernel32 (0x0061ffec)
0x7ebfa5fd get_pixel_32+0x1d
[/home/hazel/git/wine32/dlls/gdi32/../../../wine/dlls/gdi32/dibdrv/primitives.c:2009]
in gdi32: movl       0x0(%eax,%edx,1),%eax
2009        return *ptr;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gptest.c
Type: text/x-csrc
Size: 849 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20171221/90b86f46/attachment.c>

More information about the wine-devel mailing list