https://bugs.winehq.org/show_bug.cgi?id=52191
Bug ID: 52191 Summary: Null pointer dereference in MPEG3_StreamConvert Product: Wine Version: 6.20 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: l3codeca.acm Assignee: wine-bugs@winehq.org Reporter: hendi48@freenet.de Regression SHA1: 5329da61ac51995f7a690edffbbc57d955566a6d Distribution: ArchLinux
Wine 6.20 broke certain DX8 games that use DirectSound to do MP3 decoding.
https://github.com/wine-mirror/wine/blob/wine-6.20/dlls/l3codeca.acm/mpegl3.... Here, mpg123_feedseek is called with NULL as 4th argument (input_offset).
The called function does not check for NULL and faults when attempting to write to it: int __cdecl mpg123_feedseek(mpg123_handle *mh, int sampleoff, int whence, int *input_offset) { int result; // eax _off_t largeioff; // [esp+1Ch] [ebp-Ch]
result = mpg123_feedseek_64(mh, sampleoff, whence, &largeioff); if ( result >= 0 ) *input_offset = largeioff; return result; }
This is decompiled code from the l3codeca.acm i386 library in Arch Linux's wine-6.20-1 package (the same thing is the case in 6.21, too). What's really really strange is that I just checked the bundled mpg123 source tree that comes with Wine since 6.20, and the function looks very different.
Could this be a compilation screwup where distribution maintainers somehow compile an external variant of mpg123 and not the in-tree version?
https://bugs.winehq.org/show_bug.cgi?id=52191
Hendi hendi48@freenet.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
https://bugs.winehq.org/show_bug.cgi?id=52191
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com --- No, this looks accurate. The issue seems to be about having two functions variants, one in lfs_wrap.c and actual implementation in libmpg123.c. The wrapper does not check for null pointer, while implementation does.
It could a configuration issue, or a difference in win32 build. Maybe libmpg123 devs would be open to patching lfs_wrap.c accordingly.
https://bugs.winehq.org/show_bug.cgi?id=52191
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #2 from Zebediah Figura z.figura12@gmail.com --- (In reply to Nikolay Sivov from comment #1)
No, this looks accurate. The issue seems to be about having two functions variants, one in lfs_wrap.c and actual implementation in libmpg123.c. The wrapper does not check for null pointer, while implementation does.
It could a configuration issue, or a difference in win32 build. Maybe libmpg123 devs would be open to patching lfs_wrap.c accordingly.
mpg123 should probably be patched, but also, as the "real" implementation shows, our code is buggy. I'm not sure we need the mpg123_feedseek() call at all; I'll have to investigate further.
https://bugs.winehq.org/show_bug.cgi?id=52191
--- Comment #3 from Zebediah Figura z.figura12@gmail.com --- FWIW, for reproduction purposes, it'd be nice to have the name of a specific application broken by this.
https://bugs.winehq.org/show_bug.cgi?id=52191
--- Comment #4 from Hendi hendi48@freenet.de --- (In reply to Nikolay Sivov from comment #1)
No, this looks accurate. The issue seems to be about having two functions variants, one in lfs_wrap.c and actual implementation in libmpg123.c. The wrapper does not check for null pointer, while implementation does.
It could a configuration issue, or a difference in win32 build. Maybe libmpg123 devs would be open to patching lfs_wrap.c accordingly.
Oh that makes total sense now, I didn't see the wrapper. I'll file a bug report with libmpg123, surely they'll be willing to fix that deviation in behavior.
(In reply to Zebediah Figura from comment #3)
FWIW, for reproduction purposes, it'd be nice to have the name of a specific application broken by this.
The application in question is an old version of MapleStory. Getting it to run is a bit involved, which is why I didn't say anything initially.
1. Go to https://msdl.xyz/pages/gms/setups and download GMSSetupv83.exe and install the game. 2. Download GMSv83.exe from https://mega.nz/file/5TR1hazB#aCWUpgiIJmSWKsjP0x0khKzY_tLcNOu7YDtTGPUcAz0 and place it in the game folder. 3. Run this in a shell to host a mock server (openbsd-netcat assumed): while true; do echo -e "\x0E\x00\x53\x00\x01\x00\x31\x12\x34\x56\x78\x12\x34\x56\x78\x08" | nc -l 127.0.0.1 8484; done 4. Launch GMSv83.exe. 5. Press ALT+Enter to switch to windowed mode. 6. Let it sit at the login screen, do not attempt to do anything else. It's a bit undeterministic when execution will reach the seek, on my test machine it usually happens after 2-10 minutes. 7. After crashing the game will write an exception trace in drive_c/windows/syswow64/msexcr.ini if you'd like to look at that.
https://bugs.winehq.org/show_bug.cgi?id=52191
--- Comment #5 from Hendi hendi48@freenet.de --- I see Alexandre Julliard did a commit earlier to disable and remove the wrapper, since I assume it wasn't supposed to be enabled in the first place.
FWIW the bug is fixed upstream as well now.
https://bugs.winehq.org/show_bug.cgi?id=52191
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |338af407076e3dde82342e44157 | |1e8a64b98c1e3 Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #6 from Hans Leidekker hans@meelstraat.net --- Fixed with 338af407076e3dde82342e441571e8a64b98c1e3.
https://bugs.winehq.org/show_bug.cgi?id=52191
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 7.0-rc1.
-
WineHQ Bugzilla