[Bug 19819] New: Small bug in TranslateCharsetInfo
http://bugs.winehq.org/show_bug.cgi?id=19819 Summary: Small bug in TranslateCharsetInfo Product: Wine Version: 1.1.28 Platform: All OS/Version: All Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: grschneider(a)gmail.com TranslateCharsetInfo (dlls/gdi32/font.c:2596) works on an array FONT_tci of size 32 and may access this array with the index 32 - out of bounds. The loops in lines 2602 and 2605 first acces the array with an incremented index and check afterwards, this may lead to the described behaviour. The order access then check has to be swapped in those three cases to fix this. C won't access the arrays then because of lazy evaluation. Example loop: 2602 while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index < MAXTCIINDEX) index++; index = 31, 31 < 32 (true), 31++, FONT_tci[32].ciACP -> crash Can't provide a patch atm, I hope this description is enough. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 Dmitry Timoshkov <dmitry(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Platform|All |Other OS/Version|All |other -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED --- Comment #1 from Nikolay Sivov <bunglehead(a)gmail.com> 2009-10-20 10:41:56 --- Fixed by commit: http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb... -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 Dmitry Timoshkov <dmitry(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |UNCONFIRMED Resolution|FIXED | --- Comment #2 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-10-21 11:15:35 --- (In reply to comment #1)
Fixed by commit: http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb...
This is the first version of the patch, which is not correct. It does fix the overrun but breaks the logic. See my comment on wine-devel. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 --- Comment #3 from Nikolay Sivov <bunglehead(a)gmail.com> 2009-10-21 11:21:54 --- (In reply to comment #2)
(In reply to comment #1)
Fixed by commit: http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb...
This is the first version of the patch, which is not correct. It does fix the overrun but breaks the logic. See my comment on wine-devel.
Actually after second look I don't think it breaks anything. '>=' condition is without this patch too, it should be ==. Last iteration could be MAXTCIINDEX-1 after that it will be MAXTCIINDEX and it's the same as before. Could you describe a problem? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 Dmitry Timoshkov <dmitry(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED --- Comment #4 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-10-21 11:28:06 --- Ah, I must be blind. 'index >= MAXTCIINDEX' does trigger of course after the while() loop. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=19819 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> 2009-10-23 13:19:24 --- Closing bugs fixed in 1.1.32. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org