From 94127492f2d2a75f60dd041776ce7ca69055fd9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20D=C3=B6singer?= <stefandoesinger@gmx.at>
Date: Thu, 24 May 2007 22:24:00 +0200
Subject: [PATCH] ddraw: Check the validy of IDirectDrawSurface::BltFast
 parameters.

---
 dlls/ddraw/surface.c        | 29 +++++++++++++++++++
 dlls/ddraw/tests/dsurface.c | 57 +++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

diff --git a/dlls/ddraw/surface.c b/dlls/ddraw/surface.c
index 62e45505c89..2baac8141e1 100644
--- a/dlls/ddraw/surface.c
+++ b/dlls/ddraw/surface.c
@@ -2027,6 +2027,35 @@ IDirectDrawSurfaceImpl_BltFast(IDirectDrawSurface7 *iface,
     IDirectDrawSurfaceImpl *src = ICOM_OBJECT(IDirectDrawSurfaceImpl, IDirectDrawSurface7, Source);
     TRACE("(%p)->(%d,%d,%p,%p,%d): Relay\n", This, dstx, dsty, Source, rsrc, trans);
 
+    /* Source must be != NULL, This is not checked by windows. Windows happily throws a 0xc0000005
+     * in that case
+     */
+    if(rsrc)
+    {
+        if(rsrc->top > rsrc->bottom || rsrc->left > rsrc->right ||
+           rsrc->right > src->surface_desc.dwWidth ||
+           rsrc->bottom > src->surface_desc.dwHeight)
+        {
+            WARN("Source rectangle is invalid, returning DDERR_INVALIDRECT\n");
+            return DDERR_INVALIDRECT;
+        }
+        if(dstx + rsrc->right - rsrc->left > This->surface_desc.dwWidth ||
+           dsty + rsrc->bottom - rsrc->top > This->surface_desc.dwHeight)
+        {
+            WARN("Destination area out of bounds, returning DDERR_INVALIDRECT\n");
+            return DDERR_INVALIDRECT;
+        }
+    }
+    else
+    {
+        if(dstx + src->surface_desc.dwWidth > This->surface_desc.dwWidth ||
+           dsty + src->surface_desc.dwHeight > This->surface_desc.dwHeight)
+        {
+            WARN("Destination area out of bounds, returning DDERR_INVALIDRECT\n");
+            return DDERR_INVALIDRECT;
+        }
+    }
+
     EnterCriticalSection(&ddraw_cs);
     hr = IWineD3DSurface_BltFast(This->WineD3DSurface,
                                  dstx, dsty,
diff --git a/dlls/ddraw/tests/dsurface.c b/dlls/ddraw/tests/dsurface.c
index adafb87cd61..449e49f4845 100644
--- a/dlls/ddraw/tests/dsurface.c
+++ b/dlls/ddraw/tests/dsurface.c
@@ -2203,6 +2203,62 @@ static void PrivateDataTest(void)
     ok(ref2 == ref, "Object reference is %d, expected %d\n", ref2, ref);
 }
 
+static void BltParamTest(void)
+{
+    IDirectDrawSurface *surface1 = NULL, *surface2 = NULL;
+    DDSURFACEDESC desc;
+    HRESULT hr;
+    RECT valid = {10, 10, 20, 20};
+    RECT invalid1 = {20, 10, 10, 20};
+    RECT invalid2 = {20, 20, 20, 20};
+    RECT invalid3 = {-1, -1, 20, 20};
+    RECT invalid4 = {60, 60, 70, 70};
+
+    memset(&desc, 0, sizeof(desc));
+    desc.dwSize = sizeof(desc);
+    desc.dwFlags = DDSD_CAPS | DDSD_HEIGHT | DDSD_WIDTH;
+    desc.ddsCaps.dwCaps |= DDSCAPS_OFFSCREENPLAIN;
+    desc.dwHeight = 128;
+    desc.dwWidth = 128;
+    hr = IDirectDraw_CreateSurface(lpDD, &desc, &surface1, NULL);
+    ok(hr == DD_OK, "Creating an offscreen plain surface failed with %08x\n", hr);
+
+    desc.dwHeight = 64;
+    desc.dwWidth = 64;
+    hr = IDirectDraw_CreateSurface(lpDD, &desc, &surface2, NULL);
+    ok(hr == DD_OK, "Creating an offscreen plain surface failed with %08x\n", hr);
+
+    if(0)
+    {
+        /* This crashes */
+        hr = IDirectDrawSurface_BltFast(surface1, 0, 0, NULL, NULL, 0);
+        ok(hr == DD_OK, "BltFast from NULL surface returned %08x\n", hr);
+    }
+    hr = IDirectDrawSurface_BltFast(surface1, 0, 0, surface2, NULL, 0);
+    ok(hr == DD_OK, "BltFast from smaller to bigger surface returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, NULL, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast from bigger to smaller surface returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &valid, 0);
+    ok(hr == DD_OK, "BltFast from bigger to smaller surface using a valid rectangle returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 60, 60, surface1, &valid, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface1, 90, 90, surface2, NULL, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid1, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 1 returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid2, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 2 returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid3, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 3 returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface1, 0, 0, surface2, &invalid4, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 3 returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface1, 0, 0, surface1, NULL, 0);
+    ok(hr == DD_OK, "BltFast blitting a surface onto itself returned %08x\n", hr);
+
+    IDirectDrawSurface_Release(surface1);
+    IDirectDrawSurface_Release(surface2);
+}
+
 START_TEST(dsurface)
 {
     if (!CreateDirectDraw())
@@ -2222,5 +2278,6 @@ START_TEST(dsurface)
     CompressedTest();
     SizeTest();
     PrivateDataTest();
+    BltParamTest();
     ReleaseDirectDraw();
 }