http://bugs.winehq.org/show_bug.cgi?id=19819
Summary: Small bug in TranslateCharsetInfo Product: Wine Version: 1.1.28 Platform: All OS/Version: All Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs@winehq.org ReportedBy: grschneider@gmail.com
TranslateCharsetInfo (dlls/gdi32/font.c:2596) works on an array FONT_tci of size 32 and may access this array with the index 32 - out of bounds.
The loops in lines 2602 and 2605 first acces the array with an incremented index and check afterwards, this may lead to the described behaviour. The order access then check has to be swapped in those three cases to fix this. C won't access the arrays then because of lazy evaluation.
Example loop: 2602 while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index < MAXTCIINDEX) index++; index = 31, 31 < 32 (true), 31++, FONT_tci[32].ciACP -> crash
Can't provide a patch atm, I hope this description is enough.
http://bugs.winehq.org/show_bug.cgi?id=19819
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Platform|All |Other OS/Version|All |other
http://bugs.winehq.org/show_bug.cgi?id=19819
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com 2009-10-20 10:41:56 --- Fixed by commit:
http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb...
http://bugs.winehq.org/show_bug.cgi?id=19819
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |UNCONFIRMED Resolution|FIXED |
--- Comment #2 from Dmitry Timoshkov dmitry@codeweavers.com 2009-10-21 11:15:35 --- (In reply to comment #1)
Fixed by commit: http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb...
This is the first version of the patch, which is not correct. It does fix the overrun but breaks the logic. See my comment on wine-devel.
http://bugs.winehq.org/show_bug.cgi?id=19819
--- Comment #3 from Nikolay Sivov bunglehead@gmail.com 2009-10-21 11:21:54 --- (In reply to comment #2)
(In reply to comment #1)
Fixed by commit: http://source.winehq.org/git/wine.git/?a=commit;h=dd0a7078e0acd55f9cc5ac0afb...
This is the first version of the patch, which is not correct. It does fix the overrun but breaks the logic. See my comment on wine-devel.
Actually after second look I don't think it breaks anything. '>=' condition is without this patch too, it should be ==. Last iteration could be MAXTCIINDEX-1 after that it will be MAXTCIINDEX and it's the same as before.
Could you describe a problem?
http://bugs.winehq.org/show_bug.cgi?id=19819
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #4 from Dmitry Timoshkov dmitry@codeweavers.com 2009-10-21 11:28:06 --- Ah, I must be blind. 'index >= MAXTCIINDEX' does trigger of course after the while() loop.
http://bugs.winehq.org/show_bug.cgi?id=19819
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org 2009-10-23 13:19:24 --- Closing bugs fixed in 1.1.32.
-
wine-bugs@winehq.org