https://bugs.winehq.org/show_bug.cgi?id=47726
Bug ID: 47726 Summary: too many fonts cause memory corruption in Post Mortem and Still Life, need some limiting Product: Wine Version: 4.15 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdi32 Assignee: wine-bugs@winehq.org Reporter: zakarjor@yahoo.com Distribution: ---
I upgraded to Fedora 30 x86_64, and I now have a lot more fonts (lots of multilingual fonts) than before.
When starting Post Mortem or Still Life, I get the following error:
wine: Unhandled page fault on read access to 0x3235363d at address 0x24036828 (thread 0009), starting debugger...
Running with WINEDEBUG=warn+heap I get 0009:Call msvcrt.??@YAPAXI@Z(0000ffff) ret=2429ef15 0009:Call ntdll.RtlAllocateHeap(00410000,00000000,0000ffff) ret=7e558363 ... 0009:Call msvcrt.??@YAPAXI@Z(00000000) ret=2429ef15 0009:Call ntdll.RtlAllocateHeap(00410000,00000000,00000000) ret=7e558363 0009:Call ntdll.RtlAllocateHeap() retval=00480270 ret=7e558363 ... 0009:Call ntdll.RtlFreeHeap(00410000,00000000,00480270) ret=7e55842a 0009:err:heap:HEAP_ValidateInUseArena Heap 0x410000: block 0x480270 tail overwritten at 0x480270 (byte 0/24 == 0x33)
The register eax is supposed to be an address but looks like part of a font name in ASCII.
After going thru debugger, I found that there is a bug/limitation of string size of 64KB, and when the list of font names is just below 64KB (0xffff), and then appends one character, it goes over 64KB, but wraps around the size to 0 byte, which causes the memory corruption.
It would be nice to have gdi font module to limit the number of fonts to return to the caller, or have some way to filter the type of fonts to return (like don't return any Linux fonts), which should be consistent with Windows environment.