http://bugs.winehq.org/show_bug.cgi?id=25362
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Status|UNCONFIRMED |RESOLVED URL| |http://www.brothersoft.com/ | |games/return-to-castle-wolf | |enstein-single-player-downl | |oad.html CC| |focht@gmx.net Version|unspecified |1.3.8 Resolution| |WONTFIX Summary|Error running Return to |Return to Castle |Castle Wolfenstein |Wolfenstein 1.0.x crashes | |(returned GL_EXTENSION > | |4096 bytes, truncation code | |buggy, corrupts stack)
--- Comment #2 from Anastasius Focht focht@gmx.net 2011-06-18 04:42:42 CDT --- Hello,
confirming:
--- snip --- ... 0021:Ret window proc 0x444940 (hwnd=0x1007a,msg=WM_COMMAND,wp=03000064,lp=0001008a) retval=00000000 0021:Ret window proc 0x7569b9e8 (hwnd=0x1008a,msg=EM_REPLACESEL,wp=00000000,lp=019b5820) retval=00000001 0021:Ret user32.SendMessageA() retval=00000001 ret=00444edc 0021:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5f746e65 ip=5f746e65 tid=0021 0021:trace:seh:raise_exception info[0]=00000000 0021:trace:seh:raise_exception info[1]=5f746e65 0021:trace:seh:raise_exception eax=676f7270 ebx=7b893ff4 ecx=019be808 edx=019bf84a esi=00defc9c edi=019bf8bd 0021:trace:seh:raise_exception ebp=019bfcc4 esp=019bf840 cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00010206 0021:trace:seh:call_vectored_handlers calling handler at 0x687ecde9 code=c0000005 flags=0 0021:trace:seh:call_vectored_handlers handler at 0x687ecde9 returned 0 0021:trace:seh:call_stack_handlers calling handler at 0x4c82fc code=c0000005 flags=0 ... Unhandled exception: page fault on read access to 0x5f746e65 in 32-bit code (0x5f746e65). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b EIP:5f746e65 ESP:019bf840 EBP:019bfcc4 EFLAGS:00010206( R- -- I - -P- ) EAX:676f7270 EBX:7b893ff4 ECX:019be808 EDX:019bf84a ESI:00defc9c EDI:019bf8bd Stack dump: 0x019bf840: 676f7270 5f6d6172 000a706f 00000000 0x019bf850: 004edc58 01171940 00000000 004edc68 0x019bf860: 01171140 00000000 004edc94 01171540 0x019bf870: 004ebed0 00501330 00000000 01171159 0x019bf880: 004ebb50 004ebb48 004edc88 004edc7c 0x019bf890: 00447c3b 00000000 00000001 00004000 Backtrace: =>0 0x5f746e65 (0x019bfcc4) 1 0x00442246 in wolfspdemo (+0x42245) (0x019bfe60) 2 0x7b85fa50 call_process_entry+0xb() in kernel32 (0x019bfe78) ... 0x5f746e65: -- no code accessible -- Modules: Module Address Debug info Name (74 modules) PE 400000- 11bc000 Export wolfspdemo ELF 20000000-200b8000 Deferred opengl32<elf> -PE 20020000-200b8000 \ opengl32 ELF 200b8000-200ba000 Deferred libnvidia-tls.so.260.19.06 ELF 200ba000-21757000 Deferred libnvidia-glcore.so.260.19.06 --- snip ---
It's a bug in the game itself. The RTCW code collects system/graphics card specs and uses 4096 byte buffer on stack for sprintf-like formatting. Unfortunately when it comes to OpenGL extensions, the extension string returned is a bit longer on various systems.
--- snip --- ... 0044762A 68 40111701 PUSH OFFSET 01171140 ; ASCII "GeForce GT 425M/PCI/SSE2" 0044762F 68 68DC4E00 PUSH OFFSET 004EDC68 ; ASCII "GL_RENDERER: %s " 00447634 6A 00 PUSH 0 00447636 FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like formtting 0044763C 68 40191701 PUSH OFFSET 01171940 ; ASCII "4.1.0 NVIDIA 260.19.06" 00447641 68 58DC4E00 PUSH OFFSET 004EDC58 ; ASCII "GL_VERSION: %s " 00447646 6A 00 PUSH 0 00447648 FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like formtting 0044764E 68 401D1701 PUSH OFFSET 01171D40 ; ASCII " GL_ARB_blend_func_extended GL_ARB_color_buffer_float GL_ARB_compatibility GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_depth_texture GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_indirect GL_ARB_dra"... 00447653 68 44DC4E00 PUSH OFFSET 004EDC44 ; ASCII "GL_EXTENSIONS: %s " 00447658 6A 00 PUSH 0 ; <goes boom upon return due to stack corruption> 0044765A FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like formtting ; not reached --- snip ---
My OpenGL extensions string is ~5600 bytes. The game code allocates 4096 bytes on stack and "truncates" any longer string - not very elegant. Unfortunately it calculates the buffer bounds wrong by 0x10 bytes excess and this leads to overwrite of return address while truncating. It doesn't happen if the OpenGL extension string is < 4096 bytes.
Return address overwritten before return: ==> indicates ESP:
--- snip --- $-10 6D617267 $-C 5F4C4720 $-8 665F564E $-4 6D676172 $ ==> /5F746E65 ; damaged, should be return address $+4 |676F7270 ; damaged, should be NULL $+8 |5F6D6172 ; damaged, should be format string $+C |000A706F ; damaged, should be GL_EXTENSIONS string ptr $+10 |00000000 $+14 |004EDC58 ; ASCII "GL_VERSION: %s" $+18 |01171940 ; ASCII "4.1.0 NVIDIA 260.19.06" $+1C |00000000 $+20 |004EDC68 ; ASCII "GL_RENDERER: %s" $+24 |01171140 ; ASCII "GeForce GT 425M/PCI/SSE2" $+28 |00000000 $+2C |004EDC94 ; ASCII 0A,"GL_VENDOR:" $+30 |01171540 ; ASCII "NVIDIA Corporation" $+34 |004EBED0 ; ASCII "sys_cpustring" $+38 |00501330 $+3C |00000000 $+40 |01171159 $+44 |004EBB50 ; ASCII "disabled" $+48 |004EBB48 ; ASCII "enabled" $+4C |004EDC88 ; ASCII "windowed" $+50 |004EDC7C ; ASCII "fullscreen" $+54 |00447C3B ; RETURN from WolfSPDemo.004475E0 to WolfSPDemo.00447C3B --- snip ---
Truncating GL_EXTENSION string to be returned to length < 4096 doesn't make sense.
Either get a patch for the game (if it exists) or patch the game executable which isn't feasible for such old game.
Demo version: Wolf Demo 1.0.1
$ sha1sum wolf_spdemo.exe wine --68aa8b7df1bf197fabc4f762d74ca41b3bb2b0b7 wolf_spdemo.exe
$ wine --version wine-1.3.22-164-g17e6d75
Regards