[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Re: wine3d3: Check the destination recangle when for FastBlt().
From:       Stefan =?utf-8?q?D=C3=B6singer?= <stefandoesinger () gmx ! at>
Date:       2007-07-31 13:30:11
Message-ID: 200707311530.11358.stefandoesinger () gmx ! at
[Download RAW message or body]

> I have taken another look at it. I still think this specific problem
> should be fixed in wined3d. The problem occurs because BltFast (ddraw,
> d3d and d3d-gdi) all take two DWORDs as the offset write position, and
> then later casts them into a RECT structure which has signed values.
> This must for any caller be considered an error. No caller could get
> anything useful out of this.

> lock_dst.left = dstx;  <--- bad cast!
> lock_dst.top = dsty; <--- bad cast!
> lock_dst.right = dstx + w; <--- bad cast!
> lock_dst.bottom = dsty + h; <--- bad cast!
>
> Why does this not trigger a warning? Not sure.
Indeed this does not sound right. The unsigned to signed assignment doesn't 
look right. However, a problem should only occur if the highest bit of the 
DWORD is set, in which case this would be a very high value and would exeed 
the surface dimensions. Such a huge surface can't be created without 
exceeding the 2 GB userland VM size. Most likely the check in 
dlls/ddraw/surface.c, line 2067 runs into a signedness issue too.


[prev in list] [next in list] [prev in thread] [next in thread]