From: Mark Jansen mark.jansen@reactos.org
According to the documentation of ScriptShape function, the psva argument should have the number of elements indicated by cMaxGlyphs. --- dlls/gdi32/text.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/dlls/gdi32/text.c b/dlls/gdi32/text.c index f2fcb41bcdf..67e115a2bbb 100644 --- a/dlls/gdi32/text.c +++ b/dlls/gdi32/text.c @@ -471,7 +471,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ WARN("Out of memory\n"); goto cleanup; } - psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * uCount); + psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * cMaxGlyphs); if (!psva) { WARN("Out of memory\n"); @@ -603,6 +603,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs); while (res == E_OUTOFMEMORY) { + SCRIPT_VISATTR *new_psva; WORD *new_run_glyphs = HeapReAlloc(GetProcessHeap(), 0, run_glyphs, sizeof(*run_glyphs) * cMaxGlyphs * 2); if (!new_run_glyphs) { @@ -614,6 +615,17 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ goto cleanup; } run_glyphs = new_run_glyphs; + new_psva = HeapReAlloc(GetProcessHeap(), 0, psva, sizeof(*psva) * cMaxGlyphs * 2); + if (!new_psva) + { + WARN("Out of memory\n"); + HeapFree(GetProcessHeap(), 0, runOrder); + HeapFree(GetProcessHeap(), 0, visOrder); + HeapFree(GetProcessHeap(), 0, *lpGlyphs); + *lpGlyphs = NULL; + goto cleanup; + } + psva = new_psva; cMaxGlyphs *= 2; res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs); }