https://bugs.winehq.org/show_bug.cgi?id=56768
Bug ID: 56768 Summary: uxtheme crash when using themed CheckBoxes Product: Wine Version: 9.9 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: uxtheme Assignee: wine-bugs@winehq.org Reporter: kyle.kcsoftwares@gmail.com Distribution: ---
Created attachment 76569 --> https://bugs.winehq.org/attachment.cgi?id=76569 uxtheme patch
Initially found here https://jira.reactos.org/browse/CORE-16410 but also applicable to Wine 9.9 staging as "latent bug"
comctl32/button.c CB_ThemedPaint, before https://github.com/wine-mirror/wine/commit/830348d78c38e9f68772bd6e5a3ea2555... passed NULL as LPCRECT prc for GetThemePartSize (allowed as per https://learn.microsoft.com/en-en/windows/win32/api/uxtheme/nf-uxtheme-getth... ) then get_image_part_size then UXTHEME_LoadImage then UXTHEME_SelectImage which unconditionnally calls
POINT size = {pRect->right-pRect->left, pRect->bottom-pRect->top};
without checking pRect as non-NULL
Attached patch (to be adapted here) prevents such a case.
https://bugs.winehq.org/show_bug.cgi?id=56768
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source
https://bugs.winehq.org/show_bug.cgi?id=56768
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- How exactly do you get a crash? Do you need a special theme for that?
https://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #2 from KRosUser kyle.kcsoftwares@gmail.com --- Only with a Theme that affect checkboxes, such as Royalty as mentionned in https://jira.reactos.org/browse/CORE-16410 (eg : using specific image for checked/unchecked states) and BEFORE application of the commit that hides the mishandled NULL LPRECT... or with a sample app to be built calling GetThemePartSize with a NULL pRect
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #3 from KRosUser kyle.kcsoftwares@gmail.com --- See https://learn.microsoft.com/en-us/windows/win32/api/uxtheme/nf-uxtheme-getth...
[in] prc Type: LPCRECT Pointer to a RECT structure that contains the rectangle used for the part drawing destination. This parameter may be set to NULL.
Faulty code is here https://github.com/wine-mirror/wine/blob/master/dlls/uxtheme/draw.c#L232 where pRect is used with
POINT size = {pRect->right-pRect->left, pRect->bottom-pRect->top};
without checking pRect as non-NULL
(see the patch in attachment)
http://bugs.winehq.org/show_bug.cgi?id=56768
KRosUser kyle.kcsoftwares@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Distribution|--- |Ubuntu Version|9.9 |10.7
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #4 from Nikolay Sivov bunglehead@gmail.com --- This needs some reproducible use case. The patch you attached is obviously not for wine codebase. From the code it looks like it only happens with background images, which I guess we don't use for our builtin themes.
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #5 from KRosUser kyle.kcsoftwares@gmail.com --- Yes but that's an active code path in Wine that can lead to the NULL pRec situation.
Where could I find a Wine theme to build a sample application and theme to exploit this bug if further evidence is required ?
http://bugs.winehq.org/show_bug.cgi?id=56768
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|10.7 |9.9
--- Comment #6 from Fabian Maurer dark.shadow4@web.de --- Please don't change the version once reported.(In reply to KRosUser from comment #5)
Where could I find a Wine theme to build a sample application and theme to exploit this bug if further evidence is required ?
Not sure what you mean? I guess you'd have to make it yourself.
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #7 from KRosUser kyle.kcsoftwares@gmail.com --- OK so i'll just keep the reported faulty code path. .patch is self explanatory on what is a decent fix for Wine even if it has to be adapted to Wine codebase
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #8 from Nikolay Sivov bunglehead@gmail.com --- You reported a crash, presumably when running something with wine. If it needs a special theme, make sure you mentioned where to get it. If it needs a specific test program, mention that also. If none of that is available, it's making it more difficult for people to reproduce and figure out correct fix.
http://bugs.winehq.org/show_bug.cgi?id=56768
--- Comment #9 from KRosUser kyle.kcsoftwares@gmail.com --- Theme to be used : https://jira.reactos.org/secure/attachment/54626/54626_royalty_for_xp_by_pit...
Program to be used calc.exe from ReactOs, in Scientific mode
-
WineHQ Bugzilla