[Bug 51831] New: TrueDrive: On start shows an alert that the steering wheel is turned around too close to the bump stops, while the wheel is actually aligned on top center
https://bugs.winehq.org/show_bug.cgi?id=51831
Bug ID: 51831 Summary: TrueDrive: On start shows an alert that the steering wheel is turned around too close to the bump stops, while the wheel is actually aligned on top center Product: Wine Version: 6.18 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: hid Assignee: wine-bugs@winehq.org Reporter: logos128@gmail.com CC: rbernon@codeweavers.com Regression SHA1: 8b434bdc7fe98e3bd97e180f31bc18d87161c05a Distribution: ArchLinux
Created attachment 70718 --> https://bugs.winehq.org/attachment.cgi?id=70718 0001-winebus.sys-Fix-possible-memory-access-error-in-bus_.patch
In addition to the summary, the in app steering wheel animation is indeed turned around usually on left, and the high torque mode of the Simucube 2 FFB wheel is also being disabled, as the alert warns. After closing the alert, the steering wheel animation resumes proper tracking of the real wheel.
After some regression testing found out that in bus_event_queue_pop() (winebus.sys/unixlib.c) the size for the memcpy operation is calculated on base of the event->input_report.length, and when the event operand is passed for first time to this function, its input_report.length is uninitialized. The bus_event structure is being allocated once per bus thread. This could lead to either insufficient bytes being copied to the event struct, or memory access error for an out of bounds copy operation of the tmp struct. The consecutive calls of this function use the event->input_report.length again, which in this case is just the length of the input buffer from the previous operation.
If the device uses multiple input reports with different ReportIDs and different lengths, this could lead to serious issues.
Attached a patch which fixes the issue (based on the current master)
https://bugs.winehq.org/show_bug.cgi?id=51831
--- Comment #1 from Ivo Ivanov logos128@gmail.com --- Created attachment 70719 --> https://bugs.winehq.org/attachment.cgi?id=70719 wine_6.18.log
wine-6.18-187-gaa629c4c722 WINEDEBUG=+timestamp,+pid,+hid,+hidp,+hid_report,+plugplay
https://bugs.winehq.org/show_bug.cgi?id=51831
--- Comment #2 from Ivo Ivanov logos128@gmail.com --- The patch is based on a87abdbe85779adf6a2a7897bd88984587880693.
https://bugs.winehq.org/show_bug.cgi?id=51831
--- Comment #3 from RĂ©mi Bernon rbernon@codeweavers.com --- Yeah I stumbled upon this separately, and sent a patch to fix it (https://source.winehq.org/patches/data/216079).
The type should also be read from the current event instead of the passed event pointer, which has the previous one.
https://bugs.winehq.org/show_bug.cgi?id=51831
Ivo Ivanov logos128@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #4 from Ivo Ivanov logos128@gmail.com --- Tested with 5a8dcb062793fbb68997e1b54ebc2666a2b2834d from yesterday, and everything works as expected related to this issue.
https://bugs.winehq.org/show_bug.cgi?id=51831
Ivo Ivanov logos128@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |6bc71db09e95ce66142c2887b6f | |e23f59c63dd3f
https://bugs.winehq.org/show_bug.cgi?id=51831
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.19.
https://bugs.winehq.org/show_bug.cgi?id=51831
Gijs Vermeulen gijsvrm@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
-
WineHQ Bugzilla