[Bug 9731] New: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy

http://bugs.winehq.org/show_bug.cgi?id=9731

Summary: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy Product: Wine Version: 0.9.45. Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: wine-gdi-(printing) AssignedTo: wine-bugs@winehq.org ReportedBy: myxfce@gmail.com

Created an attachment (id=8168) --> (http://bugs.winehq.org/attachment.cgi?id=8168) Crash report

I'm having problems running an old Win 3.11 game named Mortuum. Wine crashes before the game start. After some debugging, I noticed the crash happens in file gdi32/driver.c on function DEVMODEW * WINAPI GdiConvertToDevmodeW(const DEVMODEA *dmA).

This function tries to memcpy bytes from the structer dmA to the structure dmW (that was allocated by a HeapAlloc()). Unfortunately, it tries to copy -32 bytes because dmA->dmSize is 0 bytes and CCHDEVICENAME is 32 bytes. I've attached a small piece of code that shows where the memcpy is done around line 425 on that file.

... dmW = HeapAlloc(GetProcessHeap(), 0, dmW_size + dmA->dmDriverExtra); if (!dmW) return NULL;

MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmDeviceName, CCHDEVICENAME,dmW->dmDeviceName, CCHDEVICENAME);

//===============================CRASH========================= /* copy slightly more, to avoid long computations */ memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA->dmSize - CCHDEVICENAME); //===============================CRASH=========================

if (dmA->dmSize >= (const char *)dmA->dmFormName - (const char *)dmA + CCHFORMNAME) { MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmFormName, CCHFORMNAME, dmW->dmFormName, CCHFORMNAME); if (dmA->dmSize > (const char *)&dmA->dmLogPixels - (const char *)dmA) memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA->dmSize - ((const char *)&dmA->dmLogPixels - (const char *)dmA)); } ...

I tried to debug more to look for the root of the problem (why dmA->dmSize is 0) but there were too many calls and I couldn't figure out where the dmA structure was allocated and popullated.

I've attached the crash report and if you need the game to test, just ask, it's freeware. Tested on 0.9.44 and 0.9.45.