[Bug 35537] Easy Bridge version 4.0.2 installer crashes

http://bugs.winehq.org/show_bug.cgi?id=35537

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Component|-unknown |winex11.drv Summary|Cannot install Easy Bridge |Easy Bridge version 4.0.2 |version 4.0.2 |installer crashes Ever confirmed|0 |1

--- Comment #24 from Anastasius Focht focht@gmx.net --- Hello Paull,

I still can't reproduce this but your backtrace with Wine 1.7.14 shows at least some potential problem.

(I removed the invalid address/symbol noise)

--- snip --- Unhandled exception: page fault on read access to 0x00000008 in 32-bit code (0x7e01804f). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b EIP:7e01804f ESP:0033e9f0 EBP:0033ea78 EFLAGS:00010246( R- -- I Z- -P- ) EAX:00000000 EBX:7e042ff4 ECX:0000000c EDX:00000000 ESI:7e04ce40 EDI:0033eb10 ... Backtrace: =>0 0x7e01804f get_tile_pict+0xdf(wxr_format=WXR_NB_FORMATS, color=0x33eb10) [/build/buildd/wine1.7-1.7.14/dlls/winex11.drv/xrender.c:1248] in winex11 (0x0033ea78) 1 0x7e01a90b xrenderdrv_ExtTextOut+0x22a(dev=0x18a4b8, x=0x18, y=0x3b, flags=0x1004, lprect=0x33ecb8, wstr="Installing Easy Bridge 4.0.2", count=0x1c, lpDx=0x0(nil)) [/build/buildd/wine1.7-1.7.14/dlls/winex11.drv/xrender.c:1387] in winex11 (0x0033eb38) 2 0x7eb4c60e ExtTextOutW+0xf1d(hdc=*** Invalid address 0x0000000c *** ... 3 0x7eca357d DrawTextExW+0xa7c(hdc=*** Invalid address 0x0000000c *** ... 4 0x7eca4d73 DrawTextExA+0x2f2(hdc=*** Invalid address 0x0000000c *** ... 5 0x7eca4ed9 DrawTextA+0x88(hdc=*** Invalid address 0x0000000c *** ... 6 0x0046c98f in _ins0432._mp (+0x6c98e) (0x0033f804) ... --- snip ---

Corresponding source: http://source.winehq.org/git/wine.git/blob/refs/tags/wine-1.7.14:/dlls/winex...

--- snip --- 1232 static Picture get_tile_pict( enum wxr_format wxr_format, const XRenderColor *color) 1233 { 1234 static struct 1235 { 1236 Pixmap xpm; 1237 Picture pict; 1238 XRenderColor current_color; 1239 } tiles[WXR_NB_FORMATS], *tile; 1240 1241 tile = &tiles[wxr_format]; 1242 1243 if(!tile->xpm) 1244 { 1245 XRenderPictureAttributes pa; 1246 XRenderPictFormat *pict_format = pict_formats[wxr_format]; 1247 1248 tile->xpm = XCreatePixmap(gdi_display, root_window, 1, 1, pict_format->depth); ... --- snip ---

'wxr_format' parameter has value 'WXR_NB_FORMATS' = last enum "invalid" meaning.

Source: http://source.winehq.org/git/wine.git/blob/refs/tags/wine-1.7.14:/dlls/winex...

--- snip --- 57 enum wxr_format 58 { 59 WXR_FORMAT_MONO, 60 WXR_FORMAT_GRAY, 61 WXR_FORMAT_X1R5G5B5, 62 WXR_FORMAT_X1B5G5R5, 63 WXR_FORMAT_R5G6B5, 64 WXR_FORMAT_B5G6R5, 65 WXR_FORMAT_R8G8B8, 66 WXR_FORMAT_B8G8R8, 67 WXR_FORMAT_A8R8G8B8, 68 WXR_FORMAT_B8G8R8A8, 69 WXR_FORMAT_X8R8G8B8, 70 WXR_FORMAT_B8G8R8X8, 71 WXR_NB_FORMATS, 72 WXR_INVALID_FORMAT = WXR_NB_FORMATS 73 }; --- snip ---

The stack based 'tiles' array is accessed out-of-bounds off-by-one since it has only WXR_NB_FORMATS elements (line 1239).

'tile->xpm' evaluates to NULL by chance.

'pict_formats' array has WXR_NB_FORMATS + 1 elements which means the last entry is NULL hence 'pict_formats[WXR_NB_FORMATS]' will yield NULL. Dereferencing 'pict_format->depth' causes the fault (page fault address 0x00000008 = 'depth' member offset).

The question is where did that invalid WXR_NB_FORMATS value come from.

get_tile_pict -> xrenderdrv_ExtTextOut -> 'physdev->format', physdev = get_xrender_dev( dev )

Maybe some Wine/X11 guys can comment :)

Regards