http://bugs.winehq.org/show_bug.cgi?id=18612
Summary: AutoGK 2.55 crashes on close Product: Wine Version: 1.1.21 Platform: PC URL: http://www.autogk.me.uk/modules.php?name=Downloads OS/Version: Linux Status: UNCONFIRMED Severity: minor Priority: P2 Component: richedit AssignedTo: wine-bugs@winehq.org ReportedBy: dimesio@earthlink.net
Created an attachment (id=21298) --> (http://bugs.winehq.org/attachment.cgi?id=21298) AutoGK crash +richedit trace
Tested in 1.1.21 and 1.1.22 on openSUSE 11.1.
AutoGK is a free, user-friendly front end for Avisynth and VirtualDubMod that automates the encoding process. It needs native msvfw32 and mfc42u to encode video in Wine, however, these overrides are not needed to start up the program and reproduce the crash, which only occurs on closing the program.
To reproduce:
Download and install AutoGK. (Installing in a virtual desktop works best.) Run it from the program directory. Close the program by clicking the close button in the upper right corner.
AutoGK will crash, showing a dialog that says "Exception EAccessViolation in module AutoGK.exe at 00001F1B. Access violation at address 00401F1B in module 'AutoGK.exe'. Read of address 00000000."
Using native riched20 solves the problem.
http://bugs.winehq.org/show_bug.cgi?id=18612
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
http://bugs.winehq.org/show_bug.cgi?id=18612
Dylan Smith dylan.ah.smith@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |dylan.ah.smith@gmail.com Ever Confirmed|0 |1
--- Comment #1 from Dylan Smith dylan.ah.smith@gmail.com 2009-07-29 20:27:48 --- It seems as if the application lies about the size of the buffer passed in sending the WM_GETTEXT, however, but it does make sure the buffer is large enough to contain all the text. Unfortunately the richedit control implementation did a memcpy for the size of the buffer instead of the size of the text that is retrieved, causing a buffer overflow that leads to the crash in the application code.
http://bugs.winehq.org/show_bug.cgi?id=18612
Dylan Smith dylan.ah.smith@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|wine-bugs@winehq.org |dylan.ah.smith@gmail.com
--- Comment #2 from Dylan Smith dylan.ah.smith@gmail.com 2009-07-29 23:28:17 --- Created an attachment (id=22698) --> (http://bugs.winehq.org/attachment.cgi?id=22698) Prevent possible buffer overflow in WM_GETTEXT
Here is a patch that fixes the implementation of WM_GETTEXT, which is also more efficient by avoiding creating an extra copy of the text. It also properly handles 0 values for the buffer or the buffer length in WM_GETTEXT or EM_GETTEXTEX.
http://bugs.winehq.org/show_bug.cgi?id=18612
--- Comment #3 from Dylan Smith dylan.ah.smith@gmail.com 2009-08-04 20:00:33 --- (In reply to comment #2)
Created an attachment (id=22698)
--> (http://bugs.winehq.org/attachment.cgi?id=22698) [details]
Prevent possible buffer overflow in WM_GETTEXT
My patch has been accepted as commit c4b023b1b6d13552e3432f754b1dd3a70b5e5edb. Please retest to see if this bug has been completely fixed.
http://bugs.winehq.org/show_bug.cgi?id=18612
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #4 from Rosanne DiMesio dimesio@earthlink.net 2009-08-04 22:06:46 --- Works fine.
http://bugs.winehq.org/show_bug.cgi?id=18612
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org 2009-08-07 12:45:38 --- Closing bugs fixed in 1.1.27.