https://bugs.winehq.org/show_bug.cgi?id=41086
wine-devel@hurrikhan.eu changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wine-devel@hurrikhan.eu
--- Comment #8 from wine-devel@hurrikhan.eu --- Created attachment 55744 --> https://bugs.winehq.org/attachment.cgi?id=55744 With stack trace
locale__Locimp__Locimp_Addfac is called with 'id' set to 4125123688 = 0xF5E06468 void __cdecl locale__Locimp__Locimp_Addfac(locale__Locimp *locimp, locale_facet *facet, MSVCP_size_t id)
If id is bigger than what is currently supported in 'facet', it tries to grow 'facet' to that size ... and of course it blows up.
Actually the math overflows before the call, which may result in successful allocation of a (bogus) very small size (ie: 0x0007fffe 00000001, truncated into 00000001)
One may want to add something like "if( ( <MSVCP_size_t_MAX> / sizeof(locale_facet*)) < new_size ) { complain }"