According to the documentation of ScriptShape function, the psva argument should have the number of elements indicated by cMaxGlyphs.
-- v3: gdi32: Fix possible overflow
From: Mark Jansen mark.jansen@reactos.org
According to the documentation of ScriptShape function, the psva argument should have the number of elements indicated by cMaxGlyphs. --- dlls/gdi32/text.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/dlls/gdi32/text.c b/dlls/gdi32/text.c index f2fcb41bcdf..67e115a2bbb 100644 --- a/dlls/gdi32/text.c +++ b/dlls/gdi32/text.c @@ -471,7 +471,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ WARN("Out of memory\n"); goto cleanup; } - psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * uCount); + psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * cMaxGlyphs); if (!psva) { WARN("Out of memory\n"); @@ -603,6 +603,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs); while (res == E_OUTOFMEMORY) { + SCRIPT_VISATTR *new_psva; WORD *new_run_glyphs = HeapReAlloc(GetProcessHeap(), 0, run_glyphs, sizeof(*run_glyphs) * cMaxGlyphs * 2); if (!new_run_glyphs) { @@ -614,6 +615,17 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */ goto cleanup; } run_glyphs = new_run_glyphs; + new_psva = HeapReAlloc(GetProcessHeap(), 0, psva, sizeof(*psva) * cMaxGlyphs * 2); + if (!new_psva) + { + WARN("Out of memory\n"); + HeapFree(GetProcessHeap(), 0, runOrder); + HeapFree(GetProcessHeap(), 0, visOrder); + HeapFree(GetProcessHeap(), 0, *lpGlyphs); + *lpGlyphs = NULL; + goto cleanup; + } + psva = new_psva; cMaxGlyphs *= 2; res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs); }
Hi,
It looks like your patch introduced the new failures shown below. Please investigate and fix them before resubmitting your patch. If they are not new, fixing them anyway would help a lot. Otherwise please ask for the known failures list to be updated.
The tests also ran into some preexisting test failures. If you know how to fix them that would be helpful. See the TestBot job for the details:
The full results can be found at: https://testbot.winehq.org/JobDetails.pl?Key=124891
Your paranoid android.
=== debian11 (build log) ===
Use of uninitialized value $Flaky in addition (+) at /home/testbot/lib/WineTestBot/LogUtils.pm line 720, <$LogFile> line 24692. Use of uninitialized value $Flaky in addition (+) at /home/testbot/lib/WineTestBot/LogUtils.pm line 720, <$LogFile> line 24692. Use of uninitialized value $Flaky in addition (+) at /home/testbot/lib/WineTestBot/LogUtils.pm line 720, <$LogFile> line 24692.
Huw Davies (@huw) commented about dlls/gdi32/text.c:
goto cleanup; } run_glyphs = new_run_glyphs;
new_psva = HeapReAlloc(GetProcessHeap(), 0, psva, sizeof(*psva) * cMaxGlyphs * 2);if (!new_psva){WARN("Out of memory\n");HeapFree(GetProcessHeap(), 0, runOrder);HeapFree(GetProcessHeap(), 0, visOrder);HeapFree(GetProcessHeap(), 0, *lpGlyphs);*lpGlyphs = NULL;goto cleanup;}psva = new_psva;
Rather than adding lots more code, how about performing both `HeapReAlloc()`s first and then testing for either failing in the same `if` statement? In the failure case you'd need to add `HeapFree()`s for both `new_` ptrs, but it should be rather simpler.
-
Huw Davies (@huw) -
Mark Jansen
-
Mark Jansen (@learn-more)
-
Marvin