https://bugs.winehq.org/show_bug.cgi?id=56367 Daniel Kamil Kozar <dkk089(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=39534 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=56367 Andrew Nguyen <arethusa26(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |NEW --- Comment #1 from Andrew Nguyen <arethusa26(a)gmail.com> --- I can confirm the Tomb Raider 3 demo crashes on wine-9.4. The read-only protection on the IDirectDraw vtable concealed a buffer overrun that becomes apparent when the vtable was made writable. The overrun occurs when the game modifies during IDirect3D2::EnumDevices enumeration the contents of the buffer holding the device description string for the DirectDraw reference device. The buffer happens to be located just before the IDirectDraw vtable: Thread 1 "01c0" hit Hardware watchpoint 1: ddraw1_vtbl.Compact Old value = (HRESULT (*)(IDirectDraw *)) 0x78267b60 <ddraw1_Compact> New value = (HRESULT (*)(IDirectDraw *)) 0x6e6f69 Wine-gdb> print ddraw1_vtbl $2 = {QueryInterface = 0x72614320, AddRef = 0x6d452064, Release = 0x74616c75, Compact = 0x6e6f69, CreateClipper = 0x7826d400 <ddraw1_CreateClipper>, CreatePalette = 0x78262ce0 <ddraw1_CreatePalette>, ... Wine-gdb> print (char *)&ddraw1_vtbl $3 = 0x7829c080 <ddraw1_vtbl> " Card Emulation" Wine-gdb> info symbol (char *)&ddraw1_vtbl - 1 reference_description + 23 in section .data of /home/arethusa/wine32/dlls/ddraw/i386-windows/ddraw.dll Wine-gdb> print (char *)&ddraw1_vtbl - 24 $4 = 0x7829c068 <reference_description> "Core Design MMX Hardware Card Emulation" Reserving some extra space in the reference_description array declared inside the d3d3_EnumDevices implementation function avoids the buffer overrun and prevents the game from crashing. I also notice that Windows 8 and newer versions implement an additional integrity protection of the IDirectDraw vtable. The function pointers in the vtable continue to be mutable, but when all IDirectDraw instances are destroyed and a new instance is created again, the original vtable function pointers are restored to undo any modifications. This remediation logic is not necessary to resolve the crash in the Tomb Raider 3 demo but it would also have been an effective solution, since the game releases all DirectDraw instances it used for device enumeration before it creates a new one for the game launch. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=56367 --- Comment #3 from Daniel Kamil Kozar <dkk089(a)gmail.com> --- Fantastic job Andrew, thank you very much. I can confirm that your patch applied to current master (4860fbe7) resolves this issue for the GOG version as well and the game runs just fine. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=56367 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 9.5. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=56367 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|9.0.x |--- --- Comment #6 from Michael Stefaniuc <mstefani(a)winehq.org> --- Removing the 9.0.x milestone from bug fixes included in 9.0.1. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.