https://bugs.winehq.org/show_bug.cgi?id=50075
Bug ID: 50075 Summary: GetFileVersionInfoSizeW can read from unallocated memory Product: Wine Version: 5.20 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: version Assignee: wine-bugs@winehq.org Reporter: ahiler@codeweavers.com Distribution: ---
Original bug: https://github.com/ValveSoftware/Proton/issues/4308
Crown Trick (game) comes with Assembly-CSharp.dll (generated by Unity engine) that is most likely just encrypted[0] or straight up corrupted. The game calls GetFileVersionInfoSizeW() on that .dll during which it crashes.
Wine's GetFileVersionInfoSizeW() checks the PE header for RVA and size of Resource Table.
Then HeapAllocs(size) happens and data is read into it the allocated memory.
After that, when looking for the version entry, find_entry_by_id() naively trusts NumberOfNamedEntries and NumberOfIdEntries residing in the resource table, which in the encrypted/corrupted form add up to 20k+ entries. This results in an attempt to dereference something way past the size of Resource Table (0x400) and causes a page fault.
I have a tentative patch (will send it soon, after a bit more testing) that makes sure we are not trying to read entries past the allocated area. With this the game starts and works just fine.
[0]: https://github.com/yangyuan/hearthrock/issues/13