http://bugs.winehq.org/show_bug.cgi?id=59418 Bug ID: 59418 Summary: Potential off-by one in swapchain.c Product: Wine Version: 11.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: d3d Assignee: wine-bugs@list.winehq.org Reporter: Littlefighter1996@googlemail.com Distribution: --- I'm currently trying to integrate WineD3D into a Linux project of mine, to allow rendering of a D3D8 application with OpenGL. For that, I'm using WineD3D in a modified version as of 11.0 and am building it with sanitizers enabled. For this, I'm reporting only one pixel format in GetPixelFormat. It being a hardcoded one, that will likely be present on most systems. (32-bit, 888, yada-yada). After the first frame is finished rendering, ASAN complains about line 596 being a heap use-after-free in the NVIDIA .so. Looking at what happens, in swapchain.c, the pixel_format at line 594, after "Presenting DC", is obtained from the context_gl->pixel_format field. pixel_format = &wined3d_adapter_gl(swapchain->device->adapter)->pixel_formats[context_gl->pixel_format]; This line seems suspicious to me, at the point where it gets set line 1907, the returned pixel format is directly the one from ChoosePixelFormat, which is 1 index-based according to documentation. This leads me to the assumption, that this is a mistake that has went overlooked, because most of the time more than one pixel format is returned. From my understanding, the line should read: pixel_format = &wined3d_adapter_gl(swapchain->device->adapter)->pixel_formats[context_gl->pixel_format - 1]; ASAN doesn't complain about that part anymore afterwards. I'd suggest to decrease -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.