http://bugs.winehq.org/show_bug.cgi?id=59680 Bernhard Übelacker <bernhardu@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu@mailbox.org --- Comment #7 from Bernhard Übelacker <bernhardu@mailbox.org> --- Created attachment 80890 --> http://bugs.winehq.org/attachment.cgi?id=80890 debugging_notepad.txt Hello, I found I could reproduce a crash with only notepad by just pasting "e๋" into its edit area. This appeared in a normal build inside GPOS_apply_MarkToMark. And it also manifests in my ASan build like below: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f27270e0a9c at pc 0x6ffffcf616c9 bp 0x7ffffe20e2c0 sp 0x7ffffe20e308 READ of size 2 at 0x7f27270e0a9c thread T0 #0 in ShapeCharGlyphProp_Thai .../dlls/gdi32/uniscribe/shape.c:3162 #1 in SHAPE_CharGlyphProp .../dlls/gdi32/uniscribe/shape.c:3389 #2 in ScriptShapeOpenType .../dlls/gdi32/uniscribe/usp10.c:3153 #3 in ScriptShape .../dlls/gdi32/uniscribe/usp10.c:3252 #4 in ScriptStringAnalyse .../dlls/gdi32/uniscribe/usp10.c:2047 #5 in EDIT_UpdateUniscribeData_linedef .../dlls/comctl32_v6/edit.c ... 0x7f27270e0a9c is located 4 bytes before 68-byte region [0x7f27270e0aa0,0x7f27270e0ae4) 3162 pGlyphProp[i-dirL].sva.uJustification = SCRIPT_JUSTIFY_NONE; With i=0 and dirL=1 above line causes an access with a negative index. In a test VM I got this "e๋" rendered as two character. I needed to install a package fonts-freefont-otf, then I still only got this line, but notepad remained running: err:seh:user_callback_handler ignoring exception c0000005 In total there were three locations, which triggered such accesses. Attached file contains some hacky modifications to get over these lines. Maybe they are enough for the game to avoid the crashes. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.