https://bugs.winehq.org/show_bug.cgi?id=46725
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
--- Comment #7 from Paul Gofman gofmanp@gmail.com --- Created attachment 66676 --> https://bugs.winehq.org/attachment.cgi?id=66676 PoC patch for FAudio
I've tested the issue in Sniper Elite v2 demo where it is also reproducible. To reproduce I just had to start the game and make a shot, it crashes immediately.
The immediate reason for the crash (which happens in xaudio2_7/xaudio_dll.c:XAPO_Process()) is that vtbl for game's xapo (This->xapo) was previously overwritten in application code during previous _Process called for the same xapo. It does not happen during the many earlier calls to _Process for the same xapo as the application actually skips the actual processing until you shoot the gun.
When processing the buffer the game is using some intermediate buffer previously allocated by HeapAlloc() with the size sufficient for 480 samples while input / output buffer lengths are 512 samples. The same 512 samples were specified in IXAPO_LockForProcess call for xapo, but the application seems to ignore that. It allocates that buffer before _LockForProcess is called, right after _CreateSubmixVoice(). It happens that the allocated xapo object data (with vtbl) goes right after that buffer for samples, thus it is overwritten.
The attached tweak fixes the crash. I observed which buffer lengths the application gets on Windows for xapo _Process and it is 480. So it looks like that on Windows the buffers might be limited to a smaller values and application doesn't bother to mind _LockForProcess values and allocates "big enough" buffer. I did not though make unit tests with those xapos so far.