http://bugs.winehq.org/show_bug.cgi?id=58782
Bug ID: 58782 Summary: Crash or freeze when draw elliptic regions Product: Wine Version: 10.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: win32u Assignee: wine-bugs@winehq.org Reporter: rikul@inbox.ru Distribution: ---
Created attachment 79427 --> http://bugs.winehq.org/attachment.cgi?id=79427 patch and examples
When i'm passing big values to elliptic regions functions or to rounded rects functions, wine is crashing or freezing.
Usually we don't need to paint such large shapes, but they can be produced by an application during pan&zoom. Mostly they are out of screen and we don't need to it to draw them properly. But we need to avoid freezing or crash.
Following commands reproduce the bug (example c-code in attachment):
// freeze on this command (test1.c): CreateEllipticRgn(0, 4, -600000000, 0);
// crash on this (test1.c): CreateEllipticRgn(0, 4, -600000000, 0);
// freeze too (test2.c): RoundRect(dc, -534431263, -25344, -108065219, -9065, 426366044, 16279);
I've learned the wine sources and found several issues:
1. In file dlls/win32u/region.c in function NtGdiCreateRoundRectRgn:
There are several possible int and even int64 overflows To make things work properly `ellipse_width` and `ellipse_height` should be restricted by at least 2^19.
Also here can be out-of-memory issues, because this function tries to allocate allocates `ellipse_height` rectangles. So, to prevent freezing or memory issues will be better to restrict `ellipse_height` to smaller number.
2. In file dlls/win32u/dibdrv/graphics.c in function dibdrv_RoundRect:
There (ellipse_width + ellipse_height)*16 bytes are allocating.
So, we need to restrict to restrict values of `ellipse_width` and `ellipse_height`. For example, to 2^19 to be in consistent with NtGdiCreateRoundRectRgn.
I've attached a patch-file (round-rect.patch) that solves the problem.
-
WineHQ Bugzilla