Bug ID: JDK-6547865 Crash in AwtComponent::PaintUpdateRgn(), on Windows

Type: Bug
Component: client-libs
Sub-Component: java.awt
Affected Version: 5.0,5.0u12,5.0u11

Priority: P2
Status: Closed
Resolution: Duplicate
OS: windows,windows_xp
CPU: x86

Submitted: 2007-04-19
Updated: 2014-02-27
Resolved: 2007-05-08

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
5.0u13Resolved

While working with the fix for 6480378 I noticed the crash in AwtComponent::PaintUpdateRgn function. On my WinXP P4 2.8/HT desktop it occurs pretty regularly after a half an hour to hour of running a simple applet test. The applet contains a canvas and periodically shows and closes a new browser window with the same applet. The crash dump is attached.

EVALUATION The crash happens in the following line, marked with *: RECT* r = (RECT*)(buffer + rgndata->rdh.dwSize); RECT* un[2] = {0, 0}; for (DWORD i = 0; i < rgndata->rdh.nCount; i++, r++) { * int width = r->right-r->left; int height = r->bottom-r->top; if (width > 0 && height > 0) { The only possible problem is that 'r' pointer is invalid. After some investigation I have found this could happen if the call to ::GetRegionData() above this code returns an error value (zero). At the present moment we don't check if this function returns an error and treat this zero as a size for the future array. This lead to 'r' to be an invalid pointer.

19-04-2007

Duplicate :	JDK-5069955 - JRE/Browser crash during repaint - IE/XP on MP or HT systems.
Relates :	JDK-6480378 - Backport 5065001, 6259348 and others to 5.0 update release