[PATCH v3 0/1] MR9956: wined3d: Check invalid addresses when copying buffer objects.
When a thread that created windows is being closed, the destination buffer address might be NULL. For example: 1. context_gl->internal_format_set is set to 1 in wined3d_context_gl_set_pixel_format(). 2. A thread gets destroyed, all the windows in the thread get destroyed. 3. wined3d_context_gl_set_pixel_format() fails because WindowFromDC() returns NULL. 4. get_dc_pixel_format() fails in win32u_wglMakeContextCurrentARB(). 5. wined3d_buffer_gl_create_buffer_object() fails to create a buffer object. 6. wined3d_buffer_get_memory() returns a struct wined3d_bo_address with addr being NULL. Adding a NULL check in wined3d_context_gl_copy_bo_address() avoids triggering write segfaults when terminating a thread. This could happen for React Native applications. -- v3: wined3d: Reset internal format when using the backup DC. https://gitlab.winehq.org/wine/wine/-/merge_requests/9956
From: Zhiyi Zhang <zzhang@codeweavers.com> When internal_format_set is set, wined3d_context_gl_set_pixel_format () using the backup DC may fail in wined3d_context_gl_set_gl_context(). This avoids a possible NULL pointer reference in wined3d_context_gl_copy_bo_address() when a thread is being terminated because the buffer object was not created due to wrong format. --- dlls/wined3d/context_gl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/dlls/wined3d/context_gl.c b/dlls/wined3d/context_gl.c index fc480f5a440..730c6db94aa 100644 --- a/dlls/wined3d/context_gl.c +++ b/dlls/wined3d/context_gl.c @@ -1256,6 +1256,7 @@ static BOOL wined3d_context_gl_set_gl_context(struct wined3d_context_gl *context TRACE("Using backup DC %p.\n", context_gl->dc); context_gl->dc_is_private = TRUE; context_gl->dc_has_format = FALSE; + context_gl->internal_format_set = FALSE; if (!wined3d_context_gl_set_pixel_format(context_gl)) { -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9956
v2: Reset `internal_format_set` instead. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9956#note_128482
On Tue Jan 27 03:25:58 2026 +0000, Zhiyi Zhang wrote:
We are falling back to the backup DC in this case. It's just that using the backup DC failed as well. ``` 01ec:err:d3d:wined3d_context_gl_set_gl_context Fallback to backup window (dc 000000001701004A) failed too, last error 0x7d0. ``` The reason why this happens with the backup DC is that in the following if condition in wined3d_context_gl_set_pixel_format(), current is 0, and context_gl->internal_format_set is 1 due to step 1. The check was introduced by 8da023fe. ``` current = gl_info->gl_ops.wgl.p_wglGetPixelFormat(dc); if ((current == format) || (!current && context_gl->internal_format_set)) goto success; ``` Another way to avoid the crash is to reset internal_format_set to FALSE when using the backup DC in wined3d_context_gl_set_gl_context(). Is the following change better? ``` TRACE("Using backup DC %p.\n", context_gl->dc); context_gl->dc_is_private = TRUE; context_gl->dc_has_format = FALSE; + context_gl->internal_format_set = FALSE; ``` Sorry for the delay. Yeah, that makes sense, and I certainly like it better.
In theory, dc_has_format is basically the equivalent of internal_format_set for backup DCs (and yeah, the naming here sucks). But we do want to reset internal_format_set or prevent checking it if we were using a valid DC and then had to switch to the backup DC. So this looks good to me. However it caused test failures, so I sent !10024 that fixes those as well. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9956#note_128726
On Tue Feb 3 23:43:42 2026 +0000, Elizabeth Figura wrote:
Sorry for the delay. Yeah, that makes sense, and I certainly like it better. In theory, dc_has_format is basically the equivalent of internal_format_set for backup DCs (and yeah, the naming here sucks). But we do want to reset internal_format_set or prevent checking it if we were using a valid DC and then had to switch to the backup DC. So this looks good to me. However it caused test failures, so I sent !10024 that fixes those as well. Thanks!
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/9956#note_128735
This merge request was closed by Zhiyi Zhang. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9956
participants (3)
-
Elizabeth Figura (@zfigura) -
Zhiyi Zhang
-
Zhiyi Zhang (@zhiyi)