For bug https://bugs.winehq.org/show_bug.cgi?id=46435.

Signed-off-by: Paul Gofman gofmanp@gmail.com --- It is not a regression as this code did not change since December 2017. Still suggesting it now as the bug involves potential out of bounds (read) access and the fix looks pretty obvious.

dlls/d3dx9_36/shader.c | 8 +++++--- dlls/d3dx9_36/tests/shader.c | 1 + 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dlls/d3dx9_36/shader.c b/dlls/d3dx9_36/shader.c index acbbf0718a..e8ce3dd796 100644 --- a/dlls/d3dx9_36/shader.c +++ b/dlls/d3dx9_36/shader.c @@ -2415,18 +2415,20 @@ HRESULT WINAPI D3DXCreateTextureShader(const DWORD *function, ID3DXTextureShader

static unsigned int get_instr_length(const DWORD *byte_code, unsigned int major, unsigned int minor) { + DWORD opcode = *byte_code & 0xffff; unsigned int len = 0;

+ if (opcode == D3DSIO_COMMENT) + return (*byte_code & D3DSI_COMMENTSIZE_MASK) >> D3DSI_COMMENTSIZE_SHIFT; + if (major > 1) return (*byte_code & D3DSI_INSTLENGTH_MASK) >> D3DSI_INSTLENGTH_SHIFT;

- switch (*byte_code & 0xffff) + switch (opcode) { case D3DSIO_END: ERR("Unexpected END token.\n"); return 0; - case D3DSIO_COMMENT: - return (*byte_code & D3DSI_COMMENTSIZE_MASK) >> D3DSI_COMMENTSIZE_SHIFT; case D3DSIO_DEF: case D3DSIO_DEFI: return 5; diff --git a/dlls/d3dx9_36/tests/shader.c b/dlls/d3dx9_36/tests/shader.c index 1086e5e9d6..b67ffb209c 100644 --- a/dlls/d3dx9_36/tests/shader.c +++ b/dlls/d3dx9_36/tests/shader.c @@ -6457,6 +6457,7 @@ static void test_shader_semantics(void) vs_3_0[] = { 0xfffe0300, /* vs_3_0 */ + 0x0002fffe, 0x0200000f, 0x00000000, /* comment */ 0x0200001f, 0x80000000, 0x900f0000, /* dcl_position v0 */ 0x0200001f, 0x80000003, 0x900f0001, /* dcl_normal v1 */ 0x0200001f, 0x8001000a, 0x900f0002, /* dcl_color1 v2 */