Hi, while working through the test reports in the appdb, i saw users submitting crashes with applications , all similar to bug 7380, so i decided to take it here. The applications that crash are
*WinMerge (newest version)
*BookWorms Adventures + several other PopCap games ( i tested them)
*5 other applications listed under bug 7380.
So i know of at least 10 applications that crash this way. They all start fine using the "buggy pointer" patch from Rein Klazes below. However, i think it's becoming rahter strange that all these (just released!) applications pass buggy pointers, so i'm beginning to think the problem must be somewhere else. I've sent in a patch to work around this bug by an exception handler a few weeks ago, but that's likely not the way to go either then. Anyone an idea how to tackle this problem? Thanks.
diff --git a/dlls/winex11.drv/dib.c b/dlls/winex11.drv/dib.c
index
cec2058..4e61da4 100644
--- a/dlls/winex11.drv/dib.c
+++ b/dlls/winex11.drv/dib.c
@@ -3861,6 +3861,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
X11DRV_DIB_IMAGEBITS_DESCR descr;
BITMAP bitmap;
LONG width, height, tmpheight;
+ int nrsrcbytes, dibpitch;
INT result;
descr.physDev = physDev;
@@ -3880,6 +3881,17 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
if (startscan + lines > height) lines = height - startscan;
+
+ /* pointer check */
+ dibpitch = ((width * descr.infoBpp + 23) &~23) / 8;
+ if( descr.compression)
+ nrsrcbytes = 1;
+ else {
+ nrsrcbytes = lines * dibpitch;
+ if( nrsrcbytes < 0) nrsrcbytes = - nrsrcbytes;
+ }
+ if( IsBadReadPtr( bits, nrsrcbytes)) return
0;
+
switch (descr.infoBpp)
{
case 1:
@@ -3926,7 +3938,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
descr.width = bitmap.bmWidth;
descr.height = lines;
descr.useShm = FALSE;
- descr.dibpitch = ((descr.infoWidth * descr.infoBpp + 31) &~31) / 8;
+ descr.dibpitch = dibpitch;
X11DRV_DIB_Lock( physBitmap, DIB_Status_GdiMod, FALSE );
result = X11DRV_DIB_SetImageBits( &descr );
X11DRV_DIB_Unlock( physBitmap, TRUE );