https://bugs.winehq.org/show_bug.cgi?id=44864
--- Comment #1 from Stefan Dösinger stefan@codeweavers.com --- I can reproduce the problem, thanks for finding the demo!
The issue appears to be that the app creates a 65532 byte sized buffer, but then tells us that it wrote 64 MB worth of vertices into it. We try to copy the data into the d3d vertex buffer that will be used as the source for wined3d_process_vertices and crash.
Before this patch SetExecuteData would just store the values in the D3DEXECUTEBUFFERDESC structure for future reference and read data only as required by D3DOP_PROCESSVERTICES ops in IDirect3DExecuteBuffer::Execute. As long as the D3DOP_PROCESSVERTICES parameters were OK everything was fine.
I'll investigate if we're supposed to return an error in SetExecuteData. If that's not the case the correct solution may be to delay the data copy until D3DOP_PROCESSVERTICES is executed or clamp the copy to the size of the execute buffer.