http://bugs.winehq.org/show_bug.cgi?id=4200 Summary: map_image() can cause segfault Product: Wine Version: 0.9.4. Platform: Other OS/Version: other Status: UNCONFIRMED Severity: normal Priority: P2 Component: wine-loader AssignedTo: wine-bugs(a)winehq.org ReportedBy: areiter(a)websense.com Basically, to make this short (could go into more detail, but my knowledge of the wine loader code is just *ok*, not really good): I was attempting to run a less-than-perfect PE file (seems to be a broken worm), I was obviously prepared for it to not run -- perhaps the loader to error out since it was an invalid PE file (at least XPSP2 believes so -- and I've reversed other Win32 loader code and they'd error too)), but I got a segfault, unfortunately. I narrowed the issue down to dlls/ntdll/virtual.c::map_image(): 1014 memset( ptr + sec->VirtualAddress + file_size, 0, end - file_size ); ptr is ok: (gdb) p ptr $142 = 0x400000 "MZ\220" VA for the section seems ok: (gdb) p sec->VirtualAddress $143 = 49152 .. Same with file_size (i believe), but the issue is with the length of the memset(). (gdb) p end $144 = 3815 (gdb) p file_size $145 = 110873 As you can see at virtual.c:1014, memset() uses (end-file_size) as the length to zero out. However, (end-file_size) creates a "bad" value since end is less than file_size. By at least C90 standards, the length field for memset() is a size_t which is unsigned ... etc etc. I don't really have a solution as I am not really all that knowledgeable with really what some of the code is doing, but seems that atleast adding an assert() or a test for this instead of blindly passing (end-file_size) would be a good thing. Anyway, not a major bug, but the loader should tries it's best to at least not crash. If you need a test file, please feel free to contact me at areiter _ at _ websense.com. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.