http://bugs.winehq.org/show_bug.cgi?id=9731
Summary: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy Product: Wine Version: 0.9.45. Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: wine-gdi-(printing) AssignedTo: wine-bugs@winehq.org ReportedBy: myxfce@gmail.com
Created an attachment (id=8168) --> (http://bugs.winehq.org/attachment.cgi?id=8168) Crash report
I'm having problems running an old Win 3.11 game named Mortuum. Wine crashes before the game start. After some debugging, I noticed the crash happens in file gdi32/driver.c on function DEVMODEW * WINAPI GdiConvertToDevmodeW(const DEVMODEA *dmA).
This function tries to memcpy bytes from the structer dmA to the structure dmW (that was allocated by a HeapAlloc()). Unfortunately, it tries to copy -32 bytes because dmA->dmSize is 0 bytes and CCHDEVICENAME is 32 bytes. I've attached a small piece of code that shows where the memcpy is done around line 425 on that file.
... dmW = HeapAlloc(GetProcessHeap(), 0, dmW_size + dmA->dmDriverExtra); if (!dmW) return NULL;
MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmDeviceName, CCHDEVICENAME,dmW->dmDeviceName, CCHDEVICENAME);
//===============================CRASH========================= /* copy slightly more, to avoid long computations */ memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA->dmSize - CCHDEVICENAME); //===============================CRASH=========================
if (dmA->dmSize >= (const char *)dmA->dmFormName - (const char *)dmA + CCHFORMNAME) { MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmFormName, CCHFORMNAME, dmW->dmFormName, CCHFORMNAME); if (dmA->dmSize > (const char *)&dmA->dmLogPixels - (const char *)dmA) memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA->dmSize - ((const char *)&dmA->dmLogPixels - (const char *)dmA)); } ...
I tried to debug more to look for the root of the problem (why dmA->dmSize is 0) but there were too many calls and I couldn't figure out where the dmA structure was allocated and popullated.
I've attached the crash report and if you need the game to test, just ask, it's freeware. Tested on 0.9.44 and 0.9.45.
http://bugs.winehq.org/show_bug.cgi?id=9731
Detlef Riekenberg wine.dev@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wine.dev@web.de
http://bugs.winehq.org/show_bug.cgi?id=9731
--- Comment #1 from Lei Zhang thestig@google.com 2007-10-09 13:39:45 --- Can you post a link to the freeware game?
http://bugs.winehq.org/show_bug.cgi?id=9731
--- Comment #2 from Bruno Jesus myxfce@gmail.com 2007-10-16 10:26:17 ---
Can you post a link to the freeware game?
I'm so sorry, I should have posted the link as soon as I added the bug report. http://200.143.13.75:3080/Mortuum.zip
(In reply to comment #1)
http://bugs.winehq.org/show_bug.cgi?id=9731
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dank@kegel.com
--- Comment #3 from Dan Kegel dank@kegel.com 2007-10-16 11:39:06 --- Here are some links about the game: http://www.mobygames.com/game/mortuum http://home.arkansasusa.com/eroberts/files/games/wingames.html
Looks like it was once at the URLs ftp://ftp.pht.com/pub/gamehead/m/mortuum.zip ftp://ftp.cdrom.com/.2/games/win/arcade/mortuum.zip Perhaps archive.org has a copy (I can't check, they're down)
http://bugs.winehq.org/show_bug.cgi?id=9731
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #4 from Dan Kegel dank@kegel.com 2007-10-16 12:00:20 --- +relay agrees, the call that triggered the crash was
000c:Call GDI.53: CREATEDC(122701c0 "DIB",00000000 (null),00000000 (null),1297:0004) ret=1217:2ea7 ds=1227
http://bugs.winehq.org/show_bug.cgi?id=9731
--- Comment #5 from Austin English austinenglish@gmail.com 2008-04-15 01:02:37 --- Is this still an issue in current (0.9.59 or newer) wine?
http://bugs.winehq.org/show_bug.cgi?id=9731
Detlef Riekenberg wine.dev@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #6 from Detlef Riekenberg wine.dev@web.de 2008-04-15 05:13:59 --- This crash was fixed by Dmitry on 20. Dec. 2007 The app died later: err:dc:CreateDCW no driver found for L"DIB" but this is a new bug.
http://bugs.winehq.org/show_bug.cgi?id=9731
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org 2008-04-18 11:03:20 --- Closing bugs reported fixed in 0.9.60.
http://bugs.winehq.org/show_bug.cgi?id=9731
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |c3fe9ec2f74ed135df1fb08faf1 | |3730050734b95
--- Comment #8 from Bruno Jesus 00cpxxx@gmail.com 2012-03-28 23:13:40 CDT --- Filling fields.
-
wine-bugs@winehq.org