https://bugs.winehq.org/show_bug.cgi?id=57306
Bug ID: 57306 Summary: Commit 5924ab4c515 breaks Nikon NX studio due to memory corruption Product: Wine Version: 9.19 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: christoph.bartoschek@gmail.com Distribution: ---
Nikion NX Studio is crashing with errors like the following one since commit 5924ab4c515:
0024:fixme:uxtheme:BufferedPaintInit Stub () double free or corruption (out) 0024:err:seh:call_seh_handlers invalid frame 00007FFFFE0FECD0 (0000000000022000-0000000000120000) 0024:err:seh:NtRaiseException Exception frame is not in stack limits => unable to dispatch exception.
By adding enough debug logs I see that:
- In function dibdrv_RoundRect from dlls/win32u/dibdrv/graphics.c max_points becomes 30. - Then top_points is allocated at size 15. - The first call to get_arc_points returns 4: count = get_arc_points( dc, AD_CLOCKWISE, &rect, start, end, top_points ); - The second call time it is called with top_points + counter which is &top_points[4]. - Inside get_arc_points count becomes 8: count = generate_ellipse_top_half( dc, width, height, points ); - Then the loop to calculate points starts with pos = count and it has 4 iterations. - The last write is to points[8+3] = points[11] = top_points[11 + 4] = top_points[15]. - top_points[15] is beyond the allocated array and it corrupts memory metadata.