http://bugs.winehq.org/show_bug.cgi?id=19564
Summary: Guitar Hero World Tour crashes in secur32 Product: Wine Version: 1.1.26 Platform: PC URL: http://worldtour.guitarhero.com/uk/ OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: secur32 AssignedTo: wine-bugs@winehq.org ReportedBy: andras@csevego.net
Created an attachment (id=22798) --> (http://bugs.winehq.org/attachment.cgi?id=22798) crash
After get trough bug 19563, we get another problem, game will crash in 30 sec, because of wine's secur32 failure. It works with native secur32. See attached image.
Backtrace: =>0 0x7e007cb4 schan_free_handle+0x24(handle_idx=2116197184, type=SCHAN_HANDLE_CTX) [/home/andras/src/wine/dlls/secur32/schannel.c:169] in secur32 (0x0209b9d0) 1 0x7e008994 schan_DeleteSecurityContext+0x74(context_handle=<register ESI not in topmost frame>) [/home/andras/src/wine/dlls/secur32/schannel.c:1099] in secur32 (0x0209ba00) 2 0x7e01059e DeleteSecurityContext+0x4e(phContext=0x2be3724) [/home/andras/src/wine/dlls/secur32/wrapper.c:465] in secur32 (0x0209ba30) 3 0x00319d0e in xmassiveadclientdyn (+0x9d0e) (0x0209ba78) 4 0x00324d63 in xmassiveadclientdyn (+0x14d63) (0x0209bac0) 5 0x00325297 in xmassiveadclientdyn (+0x15297) (0x0209baec) 6 0x00321ca5 in xmassiveadclientdyn (+0x11ca5) (0x0209bb2c) 7 0x006df923 in ghwt (+0x2df923) (0x00000001) 8 0x00000000 (0x00000000)
http://bugs.winehq.org/show_bug.cgi?id=19564
Andras Kovacs andras@csevego.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |19563
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #1 from Juan Lang juan_lang@yahoo.com 2009-08-04 11:04:57 --- Please attach a +secur32 log.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #2 from Andras Kovacs andras@csevego.net 2009-08-04 12:08:50 --- Created an attachment (id=22802) --> (http://bugs.winehq.org/attachment.cgi?id=22802) +secur32 trace
As far as I can see, its a double free. trace:secur32:DeleteSecurityContext 0x2be375c trace:secur32:schan_DeleteSecurityContext context_handle 0x1797a438 trace:secur32:DeleteSecurityContext 0x2be375c trace:secur32:schan_DeleteSecurityContext context_handle 0x1797a438
But it can be a broken code inside application triggered by this: fixme:secur32:schan_QueryContextAttributesA Unhandled attribute 0x53
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #3 from Juan Lang juan_lang@yahoo.com 2009-08-04 12:40:44 --- (In reply to comment #2)
As far as I can see, its a double free. trace:secur32:DeleteSecurityContext 0x2be375c trace:secur32:schan_DeleteSecurityContext context_handle 0x1797a438 trace:secur32:DeleteSecurityContext 0x2be375c trace:secur32:schan_DeleteSecurityContext context_handle 0x1797a438
Thanks, that's what I suspected.
But it can be a broken code inside application triggered by this: fixme:secur32:schan_QueryContextAttributesA Unhandled attribute 0x53
Yeah, maybe. I think the code could be made safer though. I'll attach a quick patch in a sec.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #4 from Juan Lang juan_lang@yahoo.com 2009-08-04 12:44:03 --- Created an attachment (id=22805) --> (http://bugs.winehq.org/attachment.cgi?id=22805) Patch: Sanity check handle index before indexing table
Does this help?
http://bugs.winehq.org/show_bug.cgi?id=19564
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch CC| |juan_lang@yahoo.com
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #5 from Andras Kovacs andras@csevego.net 2009-08-05 10:27:02 --- It goes further, but crashes in msxml6 probably due invalid data passed to it. This is not present on native secur32 too.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #6 from Juan Lang juan_lang@yahoo.com 2009-08-05 10:39:50 --- (In reply to comment #5)
It goes further, but crashes in msxml6 probably due invalid data passed to it. This is not present on native secur32 too.
Could you attach a backtrace of the crash with this patch applied?
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #7 from Andras Kovacs andras@csevego.net 2009-08-05 10:48:19 --- Created an attachment (id=22827) --> (http://bugs.winehq.org/attachment.cgi?id=22827) +secur32 after patch applied
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #8 from Juan Lang juan_lang@yahoo.com 2009-08-05 11:07:14 --- Ah, right, msxml6 is only native, eh? From the log:
fixme:secur32:schan_QueryContextAttributesA Unhandled attribute 0x53 wine: Unhandled page fault on read access to 0x00000004 at address 0x4 (thread 001a), starting debugger...
You're almost certainly right, it's trying to dereference a NULL security context. 0x53 is SECPKG_ATTR_REMOTE_CERT_CONTEXT. That's also implicated in bug 19517, so I'd say that one's worth implementing.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #9 from Juan Lang juan_lang@yahoo.com 2009-08-05 11:16:22 --- Created an attachment (id=22828) --> (http://bugs.winehq.org/attachment.cgi?id=22828) Patch: Implement QueryContextAttributes for SECPKG_ATTR_REMOTE_CERT_CONTEXT
How about with this patch?
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #10 from Henri Verbeet hverbeet@gmail.com 2009-08-05 12:33:20 --- At first sight, I think that's missing a "LOAD_FUNCPTR(gnutls_certificate_get_peers)" in SECUR32_initSchannelSP().
http://bugs.winehq.org/show_bug.cgi?id=19564
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #22828|0 |1 is obsolete| |
--- Comment #11 from Juan Lang juan_lang@yahoo.com 2009-08-05 12:38:34 --- Created an attachment (id=22832) --> (http://bugs.winehq.org/attachment.cgi?id=22832) Patch: Implement QueryContextAttributes for SECPKG_ATTR_REMOTE_CERT_CONTEXT (try 2)
Whoops, thanks Henri. How 'bout with this one?
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #12 from Andras Kovacs andras@csevego.net 2009-08-05 13:34:38 --- Created an attachment (id=22834) --> (http://bugs.winehq.org/attachment.cgi?id=22834) secur32 log after patches
It works, at least it doesn't crash.
From trace, i think it's working.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #13 from Juan Lang juan_lang@yahoo.com 2009-08-05 13:38:06 --- Excellent, thanks. I'll send a slightly modified version to wine-patches (it also checks the return value from CertCreateCertificateContext.)
http://bugs.winehq.org/show_bug.cgi?id=19564
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #14 from Juan Lang juan_lang@yahoo.com 2009-08-06 10:54:49 --- Fixed in today's git.
http://bugs.winehq.org/show_bug.cgi?id=19564
--- Comment #15 from Nikolay Sivov bunglehead@gmail.com 2009-08-06 11:09:29 --- Fixed by commits:
5ee34ea870cbe1bf828c0c5a30a646d5cd776b14 3a493d7782b56ce0c55cda60271be75843d7104d
http://bugs.winehq.org/show_bug.cgi?id=19564
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #16 from Alexandre Julliard julliard@winehq.org 2009-08-07 13:01:51 --- Closing bugs fixed in 1.1.27.
http://bugs.winehq.org/show_bug.cgi?id=19564
Bug 19564 depends on bug 19563, which changed state.
Bug 19563 Summary: Guitar Hero World Tour crashes after dinput's QueryInterface http://bugs.winehq.org/show_bug.cgi?id=19563
What |Old Value |New Value ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
-
wine-bugs@winehq.org