KB3045171 Crash GDI+ with System.Drawing.Drawing2D.AddString - by Stavros Meimaroglou

Status : 


Sign in
to vote
ID 1331855 Comments
Status Active Workarounds
Type Bug Repros 10
Opened 5/14/2015 4:14:44 AM
Access Restriction Public


After installing ΚΒ3045171  System.Drawing.Drawing2D.AddString crashes with some specific characters in some system TTF fonts, like Arial Black, Batang etc. See the code :

        private void test_Click(object sender, EventArgs e)
            string str = ")";
            // also strings : ~ ` ! " ( ) [ ] { } = < >    have similar problems

            System.Drawing.FontFamily fontFamily = new System.Drawing.FontFamily("Arial Black");
            // Also Arial Black, Batang, BatangChe, Dotum, DotumChe, Goody Stout, Gulim, Gulim Che, Gungsuh,
            // Gungsuh Che, Windings, Windings 2, Wingdings 3, ZDingbats, Comic Sans MS have similar problems
            System.Drawing.Drawing2D.GraphicsPath path = new System.Drawing.Drawing2D.GraphicsPath();
            path.AddString(str, fontFamily,  0, 128, new System.Drawing.Point(0, 0), new System.Drawing.StringFormat());    //*** Here it crashes ***
            // .... do some things like ...
            System.Drawing.RectangleF rect = path.GetBounds();
            // .... do some things 


This is the error I get:

System.Runtime.InteropServices.ExternalException was unhandled
  Message=A generic error occurred in GDI+.
       at System.Drawing.Drawing2D.GraphicsPath.AddString(String s, FontFamily family, Int32 style, Single emSize, Point origin, StringFormat format)
       at WindowsFormsApplication2.Form1.button1_Click(Object sender, EventArgs e) in c:\Users\Administrator\Desktop\VectorDraw\WindowsFormsApplication2\WindowsFormsApplication2\Form1.cs:line 37
       at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
       at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
       at System.Windows.Forms.Control.WndProc(Message& m)
       at System.Windows.Forms.ButtonBase.WndProc(Message& m)
       at System.Windows.Forms.Button.WndProc(Message& m)
       at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
       at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
       at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
       at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
       at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
       at WindowsFormsApplication2.Program.Main() in c:\Users\Administrator\Desktop\VectorDraw\WindowsFormsApplication2\WindowsFormsApplication2\Program.cs:line 18
       at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()

Thank you
Stavros - VectorDraw
Sign in to post a comment.
Posted by Daniel_Smith on 5/23/2015 at 10:29 AM
Mattheos - I'm not sure about XP (I don't work for Microsoft). We worked around the immediate problem by redesigning our custom TrueType fonts so the glyph orientations are correct. This keeps the Gdi+ bug from happening. We still get the error if a user uses one of the predefined system fonts with mis-oriented glyphs (like WingDings), but that is not nearly as common for us as our own fonts. We also support XP so I imagine this will still cause problems for our users too. I hope MS fixes it! I also hope MS makes the fix part of Windows Update so we don't need to tell our customers to install the Microsoft patch manually. Since Microsoft broke everything automatically, they should fix everything automatically as well.
Posted by Mattheos Kotzias on 5/21/2015 at 10:33 PM
Thank you Daniel for your fast notification, but and what about Windows XP WEPOS ?? No fix for these systems ? KB3045171 is installed to Windows WEPOS as a security update by Windows Update !!!!

Do I need to setup a virtual machine for this, and test if Windows 2003 3065979 fix will work on systems with this OS ??
Posted by Daniel_Smith on 5/21/2015 at 5:44 PM
Microsoft posted a fix for this. See https://support.microsoft.com/en-us/kb/3065979
Posted by Aytac Aksel on 5/20/2015 at 1:47 AM
GraphicsPath TextPath = new GraphicsPath();
int fontStyle = (int)FontStyle.Regular;
int emSize = len;
PointF origin = st.startpoint.point;
StringFormat format = StringFormat.GenericDefault;
System.Drawing.Text.PrivateFontCollection pfc = new System.Drawing.Text.PrivateFontCollection();
pfc.AddFontFile(Application.StartupPath + "\\Font\\1CAMBam_Stick_9.ttf");
family = pfc.Families[0];
TextPath.AddString(stringText,family, fontStyle, emSize, origin, format); //a generic error occurred in gdi+

we have hot day here after 15 may update. endless phone calls from customers about crash. getting "a generic error occurred in gdi+" after windows update.
you can draw "A" string but if you try "B" getting error.
Posted by Microsoft on 5/19/2015 at 7:18 PM
Thank you for reporting this issue and sharing the sample project. We had forwarded it to the GDIPlus team and are resolving this feedback item as external because it's external to the .Net Framework and Visual Studio. GDIPlus team is working on it and will update its status in the "More Information" section of the following KB articles as the team finalizes the solution:
Please visit Windows forums : http://answers.microsoft.com/en-us/windows/forum to report problems and share workarounds in gdiplus.dll or other OS components.
Thank you,
The Windows Forms Product Team
Posted by Stavros Meimaroglou on 5/19/2015 at 5:16 AM
Marina, also KB3057110 (see https://support.microsoft.com/en-us/kb/3057110) might be responsible for the crash. Not only KB3045171 has the bug.
Posted by Marina Poggio on 5/19/2015 at 12:17 AM
Thanks Stavros,
we had the same problem with our program at our customers and your feedback that the bug was related to Windows Update KB3045171 was very usefull.
We had to uninstall that update and now it works!
We wait Microsoft to fix it as soon as possible.
Posted by Daniel_Smith on 5/18/2015 at 8:24 AM
I've heard through other channels that Microsoft has acknowledged this as a bug in their KB3045171 update and they are working on a fix. A status update from Microsoft here would be appreciated. Thanks.
Posted by Mattias Mikkola on 5/15/2015 at 8:06 AM
We're seeing this issue since wednesday aswell. Opened a MSDN Support ticket hoping for a quick resolution.
Posted by hgkhg on 5/15/2015 at 2:02 AM
It is killing me. All my customer's edditing script is dissapeared.
Posted by Mattheos Kotzias on 5/14/2015 at 11:27 PM
I get tons of calls and emails from customers all over the world ! Please fix it asap !

I can only suggest to my customers to remove ΚΒ3045171 from their system and I get as an answer "but it is critical update !!!"

It is very urgent !
Posted by Daniel_Smith on 5/14/2015 at 2:49 PM
Here is the stack trace to the faulting routine that I provided the disassembly for:

>    GdiPlus.dll!cjFillPolygon()    Unknown
    GdiPlus.dll!lQueryTTOutline()    Unknown
    GdiPlus.dll!ttfdQueryGlyphOutline()    Unknown
    GdiPlus.dll!ttfdQueryFontData()    Unknown
    GdiPlus.dll!ttfdSemQueryFontData()    Unknown
    GdiPlus.dll!GpFaceRealization::InsertGlyphPath(unsigned short,int)    Unknown
    GdiPlus.dll!GpFaceRealization::GetGlyphPath(unsigned short,class GpGlyphPath * *,class PointF *)    Unknown
    GdiPlus.dll!FullTextImager::DrawGlyphs(class GpTextItem const *,class GpFontFace const *,float,unsigned short const *,int,unsigned int,class GpStringFormat const *,int,int,unsigned short const *,unsigned short const *,unsigned short const *,int const *,class Point const *,unsigned int,struct tagPOINT const *,int,struct lsrun::Adjustment *)    Unknown
    GdiPlus.dll!FullTextImager::GdipLscbkDrawGlyphs(struct ols *,struct lsrun *,int,int,unsigned short const *,int const *,int const *,struct tagGOFFSET *,unsigned short *,unsigned char const *,unsigned long,unsigned long,unsigned int,struct tagPOINT const *,struct heights const *,long,long,struct tagRECT const *)    Unknown
    GdiPlus.dll!DisplayText()    Unknown
    GdiPlus.dll!DisplayText()    Unknown
    GdiPlus.dll!LsDisplayLine()    Unknown
    GdiPlus.dll!FullTextImager::RenderLine(class BuiltLine const *,int)    Unknown
    GdiPlus.dll!FullTextImager::Render(void)    Unknown
    GdiPlus.dll!FullTextImager::AddToPath(class GpPath *,class PointF const *)    Unknown
    GdiPlus.dll!GpPath::AddString(unsigned short const *,int,class GpFontFamily const *,int,float,class RectF const *,class GpStringFormat const *)    Unknown
    GdiPlus.dll!GdipAddPathString()    Unknown
    GsDrawud.dll!Gdiplus::GraphicsPath::AddString(const wchar_t * string=0x000000000012d3b0, int length=1, const Gdiplus::FontFamily * family=0x000000000012d508, int style=0, float emSize=1000.00000, const Gdiplus::PointF & origin={...}, const Gdiplus::StringFormat * format=0x000000000012d478) Line 606    C++
Posted by tfiner on 5/14/2015 at 11:32 AM
I'm seeing the same problem as Mr. Smith.
Posted by Daniel_Smith on 5/14/2015 at 11:12 AM
I added some commented disassembly that shows the problem as an attachment in case it helps.
Posted by Daniel_Smith on 5/14/2015 at 11:03 AM
This is a little ironic. They added a buffer overflow exploit in their security update...
Posted by Daniel_Smith on 5/14/2015 at 10:59 AM
We are seeing the same problem in our commercial apps. Microsoft has introduced a bug in Gdi+ as part of KB3045171. It appears they changed a loop index in the function cjFillPolygon from a signed value to an unsigned value. This loop index counts down. When it gets to 0 they decrement it once more causing an underflow. It is then used to access an internal array past the end of the buffer. This results in an access violation on Windows 7.
Posted by Microsoft on 5/14/2015 at 5:04 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If you require immediate assistance with this issue, please contact product support at http://support.microsoft.com/ph/1117.