> I have taken another look at it. I still think this specific problem > should be fixed in wined3d. The problem occurs because BltFast (ddraw, > d3d and d3d-gdi) all take two DWORDs as the offset write position, and > then later casts them into a RECT structure which has signed values. > This must for any caller be considered an error. No caller could get > anything useful out of this.
> lock_dst.left = dstx; <--- bad cast! > lock_dst.top = dsty; <--- bad cast! > lock_dst.right = dstx + w; <--- bad cast! > lock_dst.bottom = dsty + h; <--- bad cast! > > Why does this not trigger a warning? Not sure. Indeed this does not sound right. The unsigned to signed assignment doesn't look right. However, a problem should only occur if the highest bit of the DWORD is set, in which case this would be a very high value and would exeed the surface dimensions. Such a huge surface can't be created without exceeding the 2 GB userland VM size. Most likely the check in dlls/ddraw/surface.c, line 2067 runs into a signedness issue too.
