http://bugs.winehq.org/show_bug.cgi?id=4200
Summary: map_image() can cause segfault Product: Wine Version: 0.9.4. Platform: Other OS/Version: other Status: UNCONFIRMED Severity: normal Priority: P2 Component: wine-loader AssignedTo: wine-bugs@winehq.org ReportedBy: areiter@websense.com
Basically, to make this short (could go into more detail, but my knowledge of the wine loader code is just *ok*, not really good):
I was attempting to run a less-than-perfect PE file (seems to be a broken worm), I was obviously prepared for it to not run -- perhaps the loader to error out since it was an invalid PE file (at least XPSP2 believes so -- and I've reversed other Win32 loader code and they'd error too)), but I got a segfault, unfortunately.
I narrowed the issue down to dlls/ntdll/virtual.c::map_image(): 1014 memset( ptr + sec->VirtualAddress + file_size, 0, end - file_size );
ptr is ok: (gdb) p ptr $142 = 0x400000 "MZ\220"
VA for the section seems ok: (gdb) p sec->VirtualAddress $143 = 49152
.. Same with file_size (i believe), but the issue is with the length of the memset().
(gdb) p end $144 = 3815 (gdb) p file_size $145 = 110873
As you can see at virtual.c:1014, memset() uses (end-file_size) as the length to zero out. However, (end-file_size) creates a "bad" value since end is less than file_size. By at least C90 standards, the length field for memset() is a size_t which is unsigned ... etc etc. I don't really have a solution as I am not really all that knowledgeable with really what some of the code is doing, but seems that atleast adding an assert() or a test for this instead of blindly passing (end-file_size) would be a good thing. Anyway, not a major bug, but the loader should tries it's best to at least not crash.
If you need a test file, please feel free to contact me at areiter _ at _ websense.com.