Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-12825

NtGdiGetGlyphIndicesW crashes at a ExAllocatePoolWithTag call

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 0.4.13
    • Win32SS
    • None

    Description

      NtGdiGetGlyphIndicesW crashes at a ExAllocatePoolWithTag call because it tries to allocate a buffer of zero size. This is triggered e.g. when attempting to list the available fonts, under any Office application.

      *** Assertion failed: NumberOfBytes != 0
      ***   Source File: /srv/buildbot/Build_GCCLin_x86/build/reactos/ntoskrnl/mm/ARM3/expool.c, line 1584
      kdb:> bt
      Execute '.cxr F6FA7380' to dump context
      Entered debugger on embedded INT3 at 0x0008:0x8094267e.
      Eip:
      <NTOSKRNL.EXE:14267f (:0 (DbgBreakPoint))>
      Frames:
      <NTOSKRNL.EXE:9f383 (ntoskrnl/mm/ARM3/expool.c:1584 (ExAllocatePoolWithTag))>
      <win32k.sys:c1fa2 (win32ss/gdi/ntgdi/freetype.c:4447 (NtGdiGetGlyphIndicesW))>
      <NTOSKRNL.EXE:127594 (ntoskrnl/include/internal/i386/ke.h:706 (KiSystemServiceHandler))>
      <NTOSKRNL.EXE:3da9 (:0 (KiFastCallEntry))>
      <ntdll.dll:c81d>

      When listing fonts with Word 2010 the function

      __kernel_entry
      W32KAPI
      DWORD
      APIENTRY
      NtGdiGetGlyphIndicesW(
          _In_ HDC hdc,
          _In_reads_opt_(cwc) LPCWSTR pwc,
          _In_ INT cwc,
          _Out_writes_opt_(cwc) LPWORD pgi,
          _In_ DWORD iMode)

      is called with cwc == 0 (but pwc == "" i.e. not NULL, pgi not NULL e.g. 0x00810000, and iMode == 1 == GGI_MARK_NONEXISTING_GLYPHS):

      (H:\trunk\reactos_clean\win32ss\gdi\ntgdi\freetype.c:4432) ERR: !pwc || cwc == 0 is TRUE!!
      Break instruction exception - code 80000003 (first chance)
      win32k!NtGdiGetGlyphIndicesW+0x101:
      f86411a1 cc              int     3

      Attachments

        1. trick3.patch
          3 kB
        2. trick2.patch
          3 kB
        3. trick.patch
          1 kB
        4. freetype_Substitute_Min.patch
          0.5 kB
        5. Debug_Word2010.txt
          2 kB
        6. Debug_Word2010_trick3_OK.txt
          24 kB
        7. Debug_Word2010_trick2_OK.txt
          15 kB

        Issue Links

          Activity

            People

              hbelusca hbelusca
              hbelusca hbelusca
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: