http://bugs.winehq.org/show_bug.cgi?id=58931
Bug ID: 58931 Summary: d3dx9_*:surface tests read beyond buffer in copy_pixels (ASan) Product: Wine Version: 10.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@list.winehq.org Reporter: bernhardu@mailbox.org Distribution: ---
This affects the test_D3DXSaveSurfaceToFileInMemory with formats D3DFMT_G8R8_G8B8 and D3DFMT_R8G8_B8G8.
It arrives in wined3d_resource_allocate_sysmem with a resource->size = 16 and align = 16/*RESOURCE_ALIGNMENT*/, allocates therefore 32 bytes.
But the pointer resource->heap_memory gets shifted by align, therefore 16 bytes are usable.
Unfortunately I cannot say what really is wrong here. The src_row_pitch is 4, so it looks wrong to me the memcpy copying 8 bytes?
As an example, for the D3DFMT_G8R8_G8B8 test I receive in wined3d_resource_allocate_sysmem this values: resource->size=16 align=16 resource->heap_memory=00007F72C5BE6A70 resource->heap_pointer=00007F72C5BE6A60
And later in copy_pixels these, when copying the last row: size->height=4 size->width=4 size->depth=1 format->block_width=2 format->block_byte_count=4 row_block_count=2 slice=0 row_count=4 row=3 src_addr=00007F72C5BE6A7C dst_addr=00007F88C5BE0998 (row_block_count * format->block_byte_count)=8 src_row_pitch=4
My earliest note of it was in the wine 10.1 release cycle:
https://gitlab.winehq.org/bernhardu/wine/-/blob/asan-pe_2025-01-31/asan_repo...
The latest note is with wine 10-18:
https://gitlab.winehq.org/bernhardu/wine/-/blob/asan-pe_2025-10-18_wine-10.1...
http://bugs.winehq.org/show_bug.cgi?id=58931
--- Comment #1 from Bernhard Übelacker bernhardu@mailbox.org --- Created attachment 79626 --> http://bugs.winehq.org/attachment.cgi?id=79626 patch to add some logging to relevant functions
-
WineHQ Bugzilla