From: Mark Jansen mark.jansen@reactos.org
According to the documentation of ScriptShape function, the psva argument should have the number of elements indicated by cMaxGlyphs. --- dlls/gdi32/text.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/dlls/gdi32/text.c b/dlls/gdi32/text.c index f2fcb41bcdf..c4eb2fa5bf2 100644 --- a/dlls/gdi32/text.c +++ b/dlls/gdi32/text.c @@ -471,7 +471,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ WARN("Out of memory\n"); goto cleanup; } - psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * uCount); + psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * cMaxGlyphs); if (!psva) { WARN("Out of memory\n"); @@ -614,6 +614,17 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ goto cleanup; } run_glyphs = new_run_glyphs; + SCRIPT_VISATTR *new_psva = HeapReAlloc(GetProcessHeap(), 0, psva, sizeof(*psva) * cMaxGlyphs * 2); + if (!new_psva) + { + WARN("Out of memory\n"); + HeapFree(GetProcessHeap(), 0, runOrder); + HeapFree(GetProcessHeap(), 0, visOrder); + HeapFree(GetProcessHeap(), 0, *lpGlyphs); + *lpGlyphs = NULL; + goto cleanup; + } + psva = new_psva; cMaxGlyphs *= 2; res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs); }