[Bug 9731] New: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy
http://bugs.winehq.org/show_bug.cgi?id=9731 Summary: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy Product: Wine Version: 0.9.45. Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: wine-gdi-(printing) AssignedTo: wine-bugs(a)winehq.org ReportedBy: myxfce(a)gmail.com Created an attachment (id=8168) --> (http://bugs.winehq.org/attachment.cgi?id=8168) Crash report I'm having problems running an old Win 3.11 game named Mortuum. Wine crashes before the game start. After some debugging, I noticed the crash happens in file gdi32/driver.c on function DEVMODEW * WINAPI GdiConvertToDevmodeW(const DEVMODEA *dmA). This function tries to memcpy bytes from the structer dmA to the structure dmW (that was allocated by a HeapAlloc()). Unfortunately, it tries to copy -32 bytes because dmA->dmSize is 0 bytes and CCHDEVICENAME is 32 bytes. I've attached a small piece of code that shows where the memcpy is done around line 425 on that file. ... dmW = HeapAlloc(GetProcessHeap(), 0, dmW_size + dmA->dmDriverExtra); if (!dmW) return NULL; MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmDeviceName, CCHDEVICENAME,dmW->dmDeviceName, CCHDEVICENAME); //===============================CRASH========================= /* copy slightly more, to avoid long computations */ memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA->dmSize - CCHDEVICENAME); //===============================CRASH========================= if (dmA->dmSize >= (const char *)dmA->dmFormName - (const char *)dmA + CCHFORMNAME) { MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmFormName, CCHFORMNAME, dmW->dmFormName, CCHFORMNAME); if (dmA->dmSize > (const char *)&dmA->dmLogPixels - (const char *)dmA) memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA->dmSize - ((const char *)&dmA->dmLogPixels - (const char *)dmA)); } ... I tried to debug more to look for the root of the problem (why dmA->dmSize is 0) but there were too many calls and I couldn't figure out where the dmA structure was allocated and popullated. I've attached the crash report and if you need the game to test, just ask, it's freeware. Tested on 0.9.44 and 0.9.45. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Detlef Riekenberg <wine.dev(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wine.dev(a)web.de -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 --- Comment #1 from Lei Zhang <thestig(a)google.com> 2007-10-09 13:39:45 --- Can you post a link to the freeware game? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 --- Comment #2 from Bruno Jesus <myxfce(a)gmail.com> 2007-10-16 10:26:17 ---
Can you post a link to the freeware game?
I'm so sorry, I should have posted the link as soon as I added the bug report. http://200.143.13.75:3080/Mortuum.zip (In reply to comment #1) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dank(a)kegel.com --- Comment #3 from Dan Kegel <dank(a)kegel.com> 2007-10-16 11:39:06 --- Here are some links about the game: http://www.mobygames.com/game/mortuum http://home.arkansasusa.com/eroberts/files/games/wingames.html Looks like it was once at the URLs ftp://ftp.pht.com/pub/gamehead/m/mortuum.zip ftp://ftp.cdrom.com/.2/games/win/arcade/mortuum.zip Perhaps archive.org has a copy (I can't check, they're down) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 --- Comment #4 from Dan Kegel <dank(a)kegel.com> 2007-10-16 12:00:20 --- +relay agrees, the call that triggered the crash was 000c:Call GDI.53: CREATEDC(122701c0 "DIB",00000000 (null),00000000 (null),1297:0004) ret=1217:2ea7 ds=1227 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 --- Comment #5 from Austin English <austinenglish(a)gmail.com> 2008-04-15 01:02:37 --- Is this still an issue in current (0.9.59 or newer) wine? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Detlef Riekenberg <wine.dev(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #6 from Detlef Riekenberg <wine.dev(a)web.de> 2008-04-15 05:13:59 --- This crash was fixed by Dmitry on 20. Dec. 2007 The app died later: err:dc:CreateDCW no driver found for L"DIB" but this is a new bug. -- By by ... Detlef -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Alexandre Julliard <julliard(a)winehq.org> 2008-04-18 11:03:20 --- Closing bugs reported fixed in 0.9.60. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=9731 Bruno Jesus <00cpxxx(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |c3fe9ec2f74ed135df1fb08faf1 | |3730050734b95 --- Comment #8 from Bruno Jesus <00cpxxx(a)gmail.com> 2012-03-28 23:13:40 CDT --- Filling fields. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org