https://bugs.winehq.org/show_bug.cgi?id=55918
Bug ID: 55918 Summary: printf() can overrun the "p10s" buffer with certain values when using 24-bit precision Product: Wine Version: 8.20 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: z.figura12@gmail.com Distribution: ---
Spore, for some reason, sets 24-bit precision on a thread, and when I tried to enable +d3d, I found that thread crashed with an integer division by zero. The actual floating point value that triggered the crash is (double) 9.9999982118606567e-01.
The cause is this:
* the log10() call in pf_output_fp() receives 999999940 as an argument
* it returns 9.0, which is... not really correct
* this value is later used to index the p10s array, which is only of length 9
* 0 happens to be the next integer in memory
A quick test suggests that, at least for i386 ucrtbase, native log10() does not return 9.0, but 8.9999999739423302, which IIRC is the precise value. So that's... possibly the correct fix.
There may also be a less error-prone and even more efficient way to do that base-10 logarithm.
https://bugs.winehq.org/show_bug.cgi?id=55918
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |9b9f7a007786b32a4c80f69ceb6 | |753acdc8c2091
--- Comment #1 from Zeb Figura z.figura12@gmail.com --- Addressed by https://source.winehq.org/git/wine.git/commitdiff/9b9f7a007786b32a4c80f69ceb6753acdc8c2091.
https://bugs.winehq.org/show_bug.cgi?id=55918
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.21.