[Bug 45034] New: Hired Team: Trial Gold(2001) crashes with setup_exception_record stack overflow
https://bugs.winehq.org/show_bug.cgi?id=45034 Bug ID: 45034 Summary: Hired Team: Trial Gold(2001) crashes with setup_exception_record stack overflow Product: Wine Version: 3.6 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: spleefer90(a)gmail.com Distribution: --- Tested under Wine-devel 32/64bit and wine-staging 64 bit, result is the same under all. The Wine-devel 32 bit prefix was completely fresh. I tried running this in a different TTY and launched the game from there. This got rid of the BPP fixme but it still crashed. xinit /usr/bin/xterm -- :1 -ac -depth 16 WINEPREFIX=~/wine/wine32 wine Shine.exe 0009:fixme:x11drv:X11DRV_desktop_SetCurrentMode Cannot change screen BPP from 32 to 16 0009:err:seh:setup_exception_record stack overflow 1184 bytes in thread 0009 eip 7bc45116 esp 00230e90 stack 0x230000-0x231000-0x330000 The game uses DX7.0a/OpenGL(?). If I can provide any other info, please do tell what's needed. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45034 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE CC| |focht(a)gmx.net Summary|Hired Team: Trial |Hired Team: Trial |Gold(2001) crashes with |Gold(2001) crashes with |setup_exception_record |setup_exception_record |stack overflow |stack overflow | |(GL_EXTENSION string | |overflow) Status|UNCONFIRMED |RESOLVED --- Comment #1 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, dupe of bug 25362 --- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/NMG/HTT/Bin $ WINEDEBUG=+seh,+relay wine ./Shine.exe >>log.txt 2>&1 ... 0039:Call opengl32.glGetString(00001f03) ret=2005f303 0039:Ret opengl32.glGetString() retval=00176048 ret=2005f303 0039:Call msvcrt.vsprintf(0032de54,20086ad4 "GL_EXTENSIONS:\n",0032e664) ret=1013f442 0039:Ret msvcrt.vsprintf() retval=0000000f ret=1013f442 0039:Call msvcrt.vsprintf(0032cd44,0032de54 "GL_EXTENSIONS:\n",0032dd50) ret=101251a7 0039:Ret msvcrt.vsprintf() retval=0000000f ret=101251a7 ... 0039:Call msvcrt.strtok(0032e670 "GL_ARB_multisample GL_EXT_abgr GL_EXT_bgra GL_EXT_blend_color GL_EXT_blend_minmax GL_EXT_blend_subtract GL_EXT_copy_texture GL_EXT_polygon_offset GL_EXT_subtexture GL_EXT_texture_object GL_EXT_vertex_array GL_EXT_compiled_vertex_array GL_EXT_texture GL_EXT_texture3D GL_IBM_rasterpos_clip GL_ARB_point"...,2007f430 " ") ret=2005f35b 0039:Ret msvcrt.strtok() retval=0032e670 ret=2005f35b 0039:Call msvcrt.vsprintf(0032de50,20086acc " %s\n",0032e660) ret=1013f442 0039:Ret msvcrt.vsprintf() retval=00000015 ret=1013f442 0039:Call msvcrt.vsprintf(0032cd40,0032de50 " GL_ARB_multisample\n",0032dd4c) ret=101251a7 0039:Ret msvcrt.vsprintf() retval=00000015 ret=101251a7 ... 0039:Call msvcrt.vsprintf(0032d944,0032de54 "\n",0032dd50) ret=1013c33e 0039:Ret msvcrt.vsprintf() retval=00000001 ret=1013c33e 0039:Call msvcrt.strchr(0032d944 "\n",0000000a) ret=1013c374 0039:Ret msvcrt.strchr() retval=0032d944 ret=1013c374 0039:Call msvcrt.strncpy(00c18000,00c13c00 "",000001ff) ret=1013c3e8 0039:Ret msvcrt.strncpy() retval=00c18000 ret=1013c3e8 0039:Call msvcrt.strncat(00c18000 "",0032d944 "\n",00000000) ret=1013c426 0039:Ret msvcrt.strncat() retval=00c18000 ret=1013c426 0039:Call msvcrt.vsprintf(0032d524,00c18000 "",0032d930) ret=1013c232 0039:Ret msvcrt.vsprintf() retval=00000000 ret=1013c232 0039:Call msvcrt.strncpy(00be8000,0032d524 "",000001ff) ret=1013c2dd 0039:Ret msvcrt.strncpy() retval=00be8000 ret=1013c2dd 0039:Call msvcrt._ftol() ret=1013c2eb 0039:Ret msvcrt._ftol() retval=0000000000000000 ret=1013c2eb 0039:Call msvcrt._ftol() ret=10127605 0039:Ret msvcrt._ftol() retval=00000000000347c3 ret=10127605 0039:Call msvcrt.strchr(0032d944 "",0000000a) ret=1013c374 0039:Ret msvcrt.strchr() retval=00000000 ret=1013c374 0039:Call msvcrt.strncat(00c13c00 "",0032d944 "",000001ff) ret=1013c49e 0039:Ret msvcrt.strncat() retval=00c13c00 ret=1013c49e 0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x2005f39f ip=2005f39f tid=0039 0039:trace:seh:raise_exception info[0]=00000000 0039:trace:seh:raise_exception info[1]=61703042 0039:trace:seh:raise_exception eax=00000000 ebx=0133a000 ecx=0032f7a0 edx=61703032 esi=20086ac0 edi=0032fe2b 0039:trace:seh:raise_exception ebp=0032f7ac esp=0032e664 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210212 0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c0000005 flags=0 0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x616c5f67 ip=616c5f67 tid=0039 0039:trace:seh:raise_exception info[0]=00000000 0039:trace:seh:raise_exception info[1]=616c5f67 0039:trace:seh:raise_exception eax=0032e1fc ebx=00000023 ecx=616c5f67 edx=7bc91675 esi=0000002b edi=0000002b 0039:trace:seh:raise_exception ebp=0032e1a8 esp=0032e17c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210216 0039:trace:seh:call_stack_handlers calling handler at 0x7bc91675 code=c0000005 flags=0 0039:trace:seh:call_stack_handlers handler at 0x7bc91675 returned 2 0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c0000005 flags=10 ... 0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c00000fd flags=10 0039:err:seh:setup_exception_record stack overflow 1408 bytes in thread 0039 eip f7c635fd esp 00230db0 stack 0x230000-0x231000-0x330000 --- snip --- Broken code in 'RendOGL.dll' for proof: Executable modules: Base = 20000000 Size = 00477000 (4681728.) Entry = 2006E0DD Name = RendOGL Type = File version = Static links = GDI32, ijl15, KERNEL32, MSVCRT, png, Sipl, USER32, WINMM, zlib Path = C:\Program Files (x86)\NMG\HTT\Bin\RendOGL.dll --- snip --- 2005EFF0 PUSH EBP 2005EFF1 MOV EBP,ESP 2005EFF3 PUSH -1 2005EFF5 PUSH 2006F450 2005EFFA MOV EAX,DWORD PTR FS:[0] 2005F000 PUSH EAX 2005F001 MOV DWORD PTR FS:[0],ESP 2005F008 PUSH ECX 2005F009 MOV EAX,112C 2005F00E CALL 2006DE80 ; allocate 0x112C on stack ... 2005F2F5 ADD ESP,10 2005F2F8 PUSH 1F03 ; enum GL_EXTENSIONS 2005F2FD CALL DWORD PTR DS:[203992B4] ; opengl32.glGetString() 2005F303 MOV DWORD PTR DS:[EBX+4444],EAX ; result buffer 2005F309 MOV EAX,DWORD PTR DS:[2041D0B4] 2005F30E PUSH OFFSET 20086AD4 ; ASCII "GL_EXTENSIONS:" 2005F313 PUSH 4 2005F315 MOV ECX,DWORD PTR DS:[EAX] 2005F317 PUSH EAX 2005F318 CALL DWORD PTR DS:[ECX+3C] ; log string/message 2005F31B MOV EDI,DWORD PTR DS:[EBX+4444] 2005F321 OR ECX,FFFFFFFF 2005F324 XOR EAX,EAX 2005F326 ADD ESP,0C 2005F329 REPNE SCAS BYTE PTR ES:[EDI] 2005F32B NOT ECX 2005F32D SUB EDI,ECX 2005F32F LEA EDX,[EBP-113C] 2005F335 MOV EAX,ECX 2005F337 MOV ESI,EDI 2005F339 MOV EDI,EDX 2005F33B SHR ECX,2 2005F33E REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; corrupt stk 2005F340 MOV ECX,EAX 2005F342 PUSH OFFSET 2007F430 2005F347 AND ECX,00000003 2005F34A REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 2005F34C MOV ESI,DWORD PTR DS:[<&MSVCRT.strtok>] 2005F352 LEA ECX,[EBP-113C] 2005F358 PUSH ECX 2005F359 CALL ESI ; MSVCRT.strtok 2005F35B ADD ESP,8 2005F35E TEST EAX,EAX 2005F360 JE SHORT 2005F382 ; all extensions processed 2005F362 MOV ECX,DWORD PTR DS:[2041D0B4] 2005F368 PUSH EAX 2005F369 PUSH OFFSET 20086ACC ; ASCII " %s" 2005F36E PUSH 4 2005F370 MOV EDX,DWORD PTR DS:[ECX] 2005F372 PUSH ECX 2005F373 CALL DWORD PTR DS:[EDX+3C] ; log string/message 2005F376 ADD ESP,10 2005F379 PUSH OFFSET 2007F430 2005F37E PUSH 0 2005F380 JMP SHORT 2005F359 2005F382 MOV EAX,DWORD PTR DS:[2041D0B4] 2005F387 PUSH OFFSET 2007D1F8 2005F38C PUSH 4 2005F38E PUSH EAX 2005F38F MOV ECX,DWORD PTR DS:[EAX] 2005F391 CALL DWORD PTR DS:[ECX+3C] ; log string/message 2005F394 MOV EDX,DWORD PTR SS:[EBP-1C] ; garbage due to stack corrupt 2005F397 ADD ESP,0C 2005F39A MOV ESI,OFFSET 20086AC0 ; ASCII "FullScreen" 2005F39F MOV EAX,DWORD PTR DS:[EDX+10] ; *boom* 2005F3A2 TEST EAX,EAX 2005F3A4 JNE SHORT 2005F3AB ... --- snip --- Game starts fine if you work around with: --- snip --- $ export MESA_EXTENSION_MAX_YEAR=2001 $ wine ./Shine.exe --- snip --- Tidbit: You can configure the game to windowed mode ('fullscreen=0') and custom resolutions by editing 'Shine.ini'. --- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/NMG/HTT/Bin $ grep -Hrni -B 5 fullscreen Shine.ini Shine.ini-18-ZDepth = 16 Shine.ini-19-StencilDepth = 8 Shine.ini-20-width = 1024 Shine.ini-21-height = 768 Shine.ini-22-colordepth = 16 Shine.ini:23:fullscreen = 0 --- snip --- ProtectionID scan: --- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\NMG\HTT\Bin\Shine.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 28672 (07000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT) [TimeStamp] 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT) | PE Header | - | Offset: 0x000000F0 | VA: 0x004000F0 | - [TimeStamp] 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT) | Export | - | Offset: 0x00002014 | VA: 0x00402014 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100) [Entrypoint Section Entropy] : 5.40 (section #0) ".text " | Size : 0x20C (524) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 6 (0x6) | ImageSize 0x7000 (28672) byte(s) [Export] 100% of function(s) (3 of 3) are in file | 0 are forwarded | 3 code | 0 data | 0 uninit data | 0 unknown | [ModuleReport] [IAT] Modules -> ShineEng.dll | USER32.dll | MSVCRT.dll | KERNEL32.dll [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.246 Second(s) [0000000F6h (246) tick(s)] [506 of 580 scan(s) done] Scanning -> C:\Program Files (x86)\NMG\HTT\Bin\ShineEng.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1765376 (01AF000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT) [TimeStamp] 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT) | PE Header | - | Offset: 0x00000128 | VA: 0x10000128 | - [TimeStamp] 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT) | Export | - | Offset: 0x0015A004 | VA: 0x1015A004 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100) [Entrypoint Section Entropy] : 6.69 (section #0) ".text " | Size : 0x14AA62 (1354338) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 6 (0x6) | ImageSize 0x508000 (5275648) byte(s) [Export] 80% of function(s) (4 of 5) are in file | 0 are forwarded | 4 code | 1 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : New Media Generation [VersionInfo] Product Name : New Media Generation ShineEng [VersionInfo] Product Version : 1. 0. 0. 1 [VersionInfo] File Description : ShineEng [VersionInfo] File Version : 1. 0. 0. 1 [VersionInfo] Original FileName : ShineEng.dll [VersionInfo] Internal Name : ShineEng [VersionInfo] Legal Copyrights : Copyright © 1998 [ModuleReport] [IAT] Modules -> WINMM.dll | COMCTL32.dll | Shine.exe | zlib.dll | KERNEL32.dll | USER32.dll | GDI32.dll | ADVAPI32.dll | ole32.dll | AVIFIL32.dll | MSVFW32.dll | MSVCRT.dll [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.598 Second(s) [000000256h (598) tick(s)] [246 of 580 scan(s) done] --- snip --- $ wine --version wine-3.6-105-g448344c5e4 Regards *** This bug has been marked as a duplicate of bug 25362 *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45034 André H. <nerv(a)dawncrow.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nerv(a)dawncrow.de Status|RESOLVED |CLOSED --- Comment #2 from André H. <nerv(a)dawncrow.de> --- closing dup -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=45034 --- Comment #3 from C0rn3j <spleefer90@gmail.com> --- The issue is the game logging the extension string into the console using too small a buffer. I have patched RendOGL.dll using Ghidra and an LLM to help me out with it to no longer log the extensions (extension checking works otherwise, it's just the logging that is now disabled), now it no longer needs the workaround variable and launches fine. RendOGL.dll: https://cloud.rys.rs/s/PzYaHjafNeocrma Note that this is for the Czech version of the game but I presume opengl32.dll (RendOGL.dll) is the same across the different versions - if not, it should be trivial to patch in the same jump away using Ghidra(look for glGetString and go from there). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla