New subject: [Bug 45254] Buffer overflow, X file children MAX_CHILDREN limit too small, crashes BIONICLE: The Legend of Mata Nui

27 May 2018


      https://bugs.winehq.org/show_bug.cgi?id=45254
Bug ID: 45254
           Summary: Buffer overflow, X file children MAX_CHILDREN limit
                    too small, crashes BIONICLE: The Legend of Mata Nui
           Product: Wine
           Version: unspecified
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: directx-d3dxof
          Assignee: wine-bugs@winehq.org
          Reporter: legojrmastermodelbuilder@gmail.com
      Distribution: ---
In dlls/d3dxof/d3dxof_private.h MAX_CHILDREN is defined as 200, which is too
small a buffer for some existing DirectX model .X files:
https://github.com/wine-mirror/wine/blob/4102d8a0dc1b02d37d834f17d1925f3b0de...
In dlls/d3dxof/parsing.c there is actually a warning if that number is
exceeded, but the bounds checking happens after the buffer would be overflown,
so it may read the wrong value or simply crash instead:
https://github.com/wine-mirror/wine/blob/99a5afc09b1e8928a2b3270ce67784083d2...
Native Windows does not appear to impose a hard limit, or if there is one it is
larger than 0xFFFF (the highest size I tested).
This limitation impacts at least one Windows application, namely the game
BIONICLE: The Legend of Mata Nui.
This would impact Wine on all platforms.
GitHub issue for reference:
https://github.com/TheLegendOfMataNui/game-issues/issues/110
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 45254] New: Buffer overflow, X file children MAX_CHILDREN limit too small, crashes BIONICLE: The Legend of Mata Nui