wine-bugs

wine-bugs@winehq.org

1 participants
158783 discussions

[Bug 54741] New: integer overflow in get_dib_stride / NtGdiCreateBitmap
by WineHQ Bugzilla 28 Mar '23

28 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=54741 Bug ID: 54741 Summary: integer overflow in get_dib_stride / NtGdiCreateBitmap Product: Wine Version: 8.4 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdi32 Assignee: wine-bugs(a)winehq.org Reporter: felix-wine(a)fefe.de Distribution: --- Here's the source code of NtGdiCreateBitmap: 97 HBITMAP WINAPI NtGdiCreateBitmap( INT width, INT height, UINT planes, 98 UINT bpp, const void *bits ) 99 { Having INT for width and height is already bad, but can't be helped because you are implementing a crappy API. 105 if (width > 0x7ffffff || height > 0x7ffffff) 106 { 107 RtlSetLastWin32Error( ERROR_INVALID_PARAMETER ); 108 return 0; 109 } 110 111 if (!width || !height) 112 return 0; 113 114 if (height < 0) 115 height = -height; 116 if (width < 0) 117 width = -width; After this the value of width and height is 1..0x7ffffff (7 digits, not 8). bpp is validated to be at most 32. 140 dib_stride = get_dib_stride( width, bpp ); 141 size = dib_stride * height; 142 /* Check for overflow (dib_stride itself must be ok because of the constraint on bm.bmWidth above). */ 143 if (dib_stride != size / height) Here's the code of get_dib_stride: 282 static inline int get_dib_stride( int width, int bpp ) 283 { 284 return ((width * bpp + 31) >> 3) & ~3; 285 } width can be 0x7ffffff, bpp can be 32. width*bpp is then 0xffffffe0 which looks at first glance like no overflow happened, but the type is still int, i.e. signed 32-bit, i.e. max value is 0x7fffffff (8 digits), max bpp to trigger that would be 16 not 32. We are right-shifting afterwards, so we ought to be fine? Nope, because we are operating on signed ints, so it's an arithmetic right shift, not a logical one. The & does not remove the sign bit. So what happens here is that get_dib_stride can return a negative value. OK but NtGdiCreateBitmap checks for overflow and will notice something is wrong. Not really. If width=height=0x7ffffff and bpp=32 then get_dib_stride=-4. Then size is -4*0x7ffffff promoted to size_t, or 0xe0000004. The overflow check does this: 143 if (dib_stride != size / height) size/0x7ffffff is 0xfffffffc. dib_stride is -4, promoted to size_t for the comparison is also 0xfffffffc. Also: On the way we had undefined behavior. The compiler would be allowed to do all kinds of nasty things. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 0

[Bug 54732] New: schedsvc:atsvcapi & schedsvc:rpcapi crash on a fresh wineprefix
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=54732 Bug ID: 54732 Summary: schedsvc:atsvcapi & schedsvc:rpcapi crash on a fresh wineprefix Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: taskschd Assignee: wine-bugs(a)winehq.org Reporter: fgouget(a)codeweavers.com Distribution: --- schedsvc:atsvcapi & schedsvc:rpcapi crash on a fresh wineprefix. The issue is the same for both tests so I'll focus on the latter: $ rm -rf ~/.wine && WINEDEBUG=schedsvc ./wine dlls/schedsvc/tests/i386-windows/schedsvc_test.exe rpcapi rpcapi.c:64: Tests skipped: Can't connect to Scheduler service: 0x6d9 0020:rpcapi: 0 tests executed (0 marked as todo, 0 as flaky, 0 failures), 1 skipped. What really happens is that the call to SchRpcHighestVersion() crashes even before reaching the TRACE() statement. And schedsvc:rpcapi interprets that as being unable to connect to the scheduler service. Running schedsvc:rpcapi multiple times does not help. However if one runs taskschd:scheduler once in that wineprefix, then there is no problem: $ rm -rf ~/.wine && ./wine dlls/taskschd/tests/i386-windows/taskschd_test.exe scheduler ... # Wait until sure that Wine has fully shut down $ sleep 10; ./wine dlls/schedsvc/tests/i386-windows/schedsvc_test.exe rpcapi rpcapi.c:268: L"\n<Task ... In particular this means that when submitting a TestBot job for these tests, they systematically skip which prevents detecting failures. (For merge requests there is one 32-bit only full WineTest run which would catch at least some regressions.) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 2

[Bug 36711] New: Civ 4 Colonization cannot load Save games, Crashes
by wine-bugs＠winehq.org 27 Mar '23

27 Mar '23

http://bugs.winehq.org/show_bug.cgi?id=36711 Bug ID: 36711 Summary: Civ 4 Colonization cannot load Save games, Crashes Product: Wine Version: 1.6.2 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: typoofcem(a)gmail.com Created attachment 48756 --> http://bugs.winehq.org/attachment.cgi?id=48756 Error output from when app crashes Sid Meier's Civilization 4 Colonization (from the complete edition, not the standalone) crashes when user attempts to load a saved game in Wine. Issue does not effect Civ 4 nor its expansions, from the complete edition. Note: game is being played from a complete install, without DVD-ROM (if that makes any difference) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 21

[Bug 53714] New: proxyodbc SQLGetInfoW wrong behaviour when InfoValue null
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=53714 Bug ID: 53714 Summary: proxyodbc SQLGetInfoW wrong behaviour when InfoValue null Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: odbc Assignee: wine-bugs(a)winehq.org Reporter: pollyielderah(a)gmail.com Distribution: --- Difference between odbc and proxyodbc. Expected behaviour: Calling proxyodbc SQLGetInfoW with null InfoValue should fill StringLength with total bytes to be written. This allows to create appropriate size buffer on second call. Current behaviour: proxyodbc SQLGetInfoW logs warning "Unexpected NULL InfoValue address" and returns SQL_ERROR without returning bytes to be written. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 9

[Bug 53032] New: winedevice.exe segfaults on exit (Segmentation fault) in Wine 7.9
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=53032 Bug ID: 53032 Summary: winedevice.exe segfaults on exit (Segmentation fault) in Wine 7.9 Product: Wine Version: 7.9 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wineserver Assignee: wine-bugs(a)winehq.org Reporter: aros(a)gmx.com Distribution: --- This is a regression or maybe it's down to GCC 12.1 - I don't know. When exiting wine, winedevice.exe segfaults all the time. I cannot get a bt and my attempts of using gdb have been futile. (gdb) c Continuing. [LWP 495578 exited] [LWP 495577 exited] [LWP 495576 exited] [LWP 495573 exited] Thread 5 "winedevice.exe" received signal SIGSEGV, Segmentation fault. [Switching to LWP 495599] 0x7e68a2bf in ?? () (gdb) bt #0 0x7e68a2bf in ?? () Backtrace stopped: Cannot access memory at address 0x1fe Wine is built using: -O2 -march=pentium-m -m32 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 41

[Bug 53027] New: Port Royale 4 crashes with wined3d_texture*
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=53027 Bug ID: 53027 Summary: Port Royale 4 crashes with wined3d_texture* Product: Wine Version: 7.9 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: directx-d3d Assignee: wine-bugs(a)winehq.org Reporter: berillions(a)gmail.com Distribution: --- Created attachment 72398 --> https://bugs.winehq.org/attachment.cgi?id=72398 Vulkan backtrace Hi, This time, i used Wine unpatched :-D The game crashes at the same place with OpenGL/Vulkan renderer. Launch the game works, navigate in the menu & begin a new game too. The issue appears during the loading when i start a new game. I attach the backtrace for OpenGL and Vulkan renderer. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 8

[Bug 52545] New: [PATCH] ACE rights parser should allow octal and decimal formats
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=52545 Bug ID: 52545 Summary: [PATCH] ACE rights parser should allow octal and decimal formats Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs(a)winehq.org Reporter: ake.rehnman(a)gmail.com Distribution: --- Created attachment 71859 --> https://bugs.winehq.org/attachment.cgi?id=71859 Patch Security descriptor parser should accept octal and decimal numeric format in addition to hex. ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d… -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 7

[Bug 42857] New: Can't select a fixture in FreeStyler's fixture editor
by wine-bugs＠winehq.org 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=42857 Bug ID: 42857 Summary: Can't select a fixture in FreeStyler's fixture editor Product: Wine Version: 2.6 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: florian-edelmann(a)online.de Distribution: --- Created attachment 57958 --> https://bugs.winehq.org/attachment.cgi?id=57958 Console output. Starting the fixture editor in line 31 Installing worked fine after installing two verbs with winetricks (vb6run and mfc42). Starting all bundled applications also works as expected. However, as soon as I select a fixture (folder opening also no problem), the Fixture Editor hangs and eventually opens a small, all-black dialog and exits when I close that. The same happens in the main application (FreeStyler) when clicking on Setup in the menu, and then on Add/Remove fixtures In the console output (full output attached), the following lines are repeated: fixme:olepicture:OleLoadPictureEx (0xcbaafc,2359,1,{00020400-0000-0000-c000-000000000046},x=0,y=0,f=0,0x32f368), partially implemented. fixme:ole:CLSIDFromProgIDEx L"Scripting.FileSystemObject",0x32f3a4: semi-stub fixme:scrrun:filesys_QueryInterface Unsupported interface {7fd52380-4e07-101b-ae2d-08002b2ec713} fixme:scrrun:filesys_QueryInterface Unsupported interface {37d84f60-42cb-11ce-8135-00aa004bb851} fixme:scrrun:file_get_DateLastModified (0x1beb920)->(0x32f1e8) Only the first number in the last line is changed every time. I replaced a lot of those sections in the log to meet the 5MB file size limit. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 19

[Bug 53645] New: AIMP 3 memory leak
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=53645 Bug ID: 53645 Summary: AIMP 3 memory leak Product: Wine Version: 7.16 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: HarlanStaggs(a)gmail.com Distribution: --- How to reproduce: 1) Open AIMP3 with wine (for example AIMP v3.60 build 1503). 2) Play some music. 3) Open system monitor that allows to monitor RAM usage. 4) Every 1-2 seconds AIMP will take 1-2 mb of your RAM and it wont stop. 5) After several hours it will take 6-8 GB of RAM. I never saw this behaviour on windows and I could not to reproduce this bug in AIMP2. I used system wine (7.16) and wine in Lutris (lutris 7.2-2) - memory leak appears in both. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 5

[Bug 53569] New: postgresql installer 9.3 needs fixed fso.GetTempName
by WineHQ Bugzilla 27 Mar '23

27 Mar '23

https://bugs.winehq.org/show_bug.cgi?id=53569 Bug ID: 53569 Summary: postgresql installer 9.3 needs fixed fso.GetTempName Product: Wine Version: 7.11 Hardware: x86 URL: https://www.enterprisedb.com/downloads/postgres-postgr esql-downloads OS: Linux Status: NEW Keywords: download, Installer, source Severity: minor Priority: P2 Component: scrrun Assignee: wine-bugs(a)winehq.org Reporter: sloper42(a)yahoo.com CC: austinenglish(a)gmail.com, sloper42(a)yahoo.com Depends on: 46083, 53565 Distribution: Fedora This is followup of Bug #53565 Noticed in postgresql 9.3.25-1 installer. When starting the installer, a script called prerun_checks is executed. There is issue executing following line Temp_Path = strSystemRoot & "\" & fso.GetTempName() & ".vbs" ".vbs" is not attached to Temp_Path, because GetTempName returns wrong BSTR length. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 11

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

wine-bugs