[Bug 45769] New: 0CC-FamiTracker etc. crashes after saving, due to AfxFormatString1(out=in)
https://bugs.winehq.org/show_bug.cgi?id=45769
Bug ID: 45769 Summary: 0CC-FamiTracker etc. crashes after saving, due to AfxFormatString1(out=in) Product: Wine Version: 3.14 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: jimbo1qaz@gmail.com Distribution: ---
0CC-FamiTracker 0.3.14.5 (http://hertzdevil.info/programs/0CCft_v0314r5.7z ) and my j0CC fork (https://github.com/jimbo1qaz/j0CC-FamiTracker/releases/download/j0.6.0a/j0CC... ) crash after saving.
Confirmed on multiple machines including Ubuntu with 3.14 and 3.15, and a Debian x64 VM with a .wine created under Debian version, and upgraded to 3.0.2.
Instructions: - Open 0CC (and optionally open an existing file. - Press Space (to enable editing) and mash the keyboard a bit to enter notes. - Press Ctrl+S and specify a filename. - Mash a few keys and press Ctrl+S a few times.
At this point 0CC will usually crash with an assertion error in CString, often with a backtrace consisting of a single entry of 0x0. One time I got a backtrace pointing to MFC UI code.
------------
I think this is a memory corruption issue arising from calling `AfxFormatString1(text, IDS_FILE_SAVED, text);` with the same input and output = https://github.com/HertzDevil/0CC-FamiTracker/blob/v0.3.14.5/Source/FamiTrac...
But it doesn't crash on Windows. Is that a program bug or Wine bug?
- I think MFC is statically linked.
I thought it was a regression from some unknown earlier revision, but I installed a Debian Stretch 64 VM, `apt-get install wine wine32` (https://packages.debian.org/stretch/wine = 1.8.7-2), and `wine 0CC-FamiTracker.exe` experiences the same issue. Maybe the crash doesn't manifest on Wine 32? IDK.
-----------
The code in question has been removed from 0CC, and I will be including a workaround (don't call AfxFormatString1(out=in)) into j0CC soon.
https://bugs.winehq.org/show_bug.cgi?id=45769
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- Can you try removing the code in question, recompile, and run it again under wine? If it doesn't crash, that's the problem.
https://bugs.winehq.org/show_bug.cgi?id=45769
--- Comment #2 from jimbo1qaz jimbo1qaz@gmail.com --- Replacing `AfxFormatString1(text, IDS_FILE_SAVED, text);` with `return TRUE;`, or introducing a new `CString out; AfxFormatString1(out,...` fixes the crash I think.
(i swear i posted this yesterday but I guess not)
https://bugs.winehq.org/show_bug.cgi?id=45769
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |NEW
--- Comment #3 from Fabian Maurer dark.shadow4@web.de --- Confirming, actually does crash inside AfxFormatString1 due to overlapped structure. When re-allocating the CString, the old content (for some reason) loses its nullterminator, which leads in the string getting bigger than expected, not fitting the resized string anymore.
Does more look like just undefined behavior than an issue in wine though. Or maybe there is a bug that it loses the null terminator?
https://bugs.winehq.org/show_bug.cgi?id=45769
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://hertzdevil.info/prog | |rams/0CCft_v0314r5.7z Component|-unknown |ntdll Keywords| |download
https://bugs.winehq.org/show_bug.cgi?id=45769
--- Comment #4 from Fabian Maurer dark.shadow4@web.de --- Created attachment 62258 --> https://bugs.winehq.org/attachment.cgi?id=62258 Test case
Attaching a simple test case of what I think is happening here. No idea if we even want to have this working in wine, it's undefined behavior due to usage of a freed pointer. How to deal with this kind of issue?
https://bugs.winehq.org/show_bug.cgi?id=45769
--- Comment #5 from Fabian Maurer dark.shadow4@web.de --- I have to add, it works pretty reliable on windows: https://testbot.winehq.org/JobDetails.pl?Key=41733
But I wouldn't know how to fix it in wine.
-
wine-bugs@winehq.org