I am experiencing a crash during startup of an application (The Rosetta Stone 2.0.7a) under Wine. I reported this earlier on wine-users and after some debugging was advised to move to this list.
The line causing a problem is dlls/x11drv/dib.c:425
417 HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL); 418 PALETTEENTRY pal_ents[256]; 419 WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize); 420 421 GetPaletteEntries(hpal, 0, 256, pal_ents); 422 423 for(i = 0; i < colors; i++, index++) 424 { =>425 colorTable[i].rgbRed = pal_ents[*index].peRed; 426 colorTable[i].rgbGreen = pal_ents[*index].peGreen; 427 colorTable[i].rgbBlue = pal_ents[*index].peBlue; 428 colorTable[i].rgbReserved = 0; 429 }
This happens when X11DRV_DIB_BuildColorTable() is called with coloruse==DIB_PAL_COLORS, meaning we use an 8-bit palette. It seems to me that (LPBYTE)info must be corrupt and is giving a corrupt value to (WORD)index.
Wine-dbg>p i 0 Wine-dbg>p colorTable[i] {rgbBlue=0, rgbGreen=0, rgbRed=0, rgbReserved=0} Wine-dbg>p pal_ents {{peRed=0, peGreen=0, peBlue=0, peFlags=0}, ... } Wine-dbg>p pal_ents[0] {peRed=, peGreen= Exception c0000005 Wine-dbg>p index 0x77aaec20 Wine-dbg>p *index No type or type mismatch Wine-dbg>p info fixme:winedbg:print_value ---error
Here is the backtrace.
fixme:font:GetKerningPairsW (0x1a28,0,(nil)): almost empty stub! First chance exception: page fault on read access to 0x77ab71cc in 32-bit code (0x7fea1e53). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033 EIP:7fea1e53 ESP:77aae66c EBP:77aaea98 EFLAGS:00010287( - 00 RISP1C) EAX:000022d0 EBX:7fef22c4 ECX:7786aee0 EDX:00000000 ESI:7e042900 EDI:77aaec20 Stack dump: 0x77aae66c: 00000044 00000000 00000100 77aae68c 0x77aae67c: 00000400 00000000 00000100 00000001 0x77aae68c: 00000000 00000080 00008000 00008080 0x77aae69c: 00800000 00800080 00808000 00c0c0c0 0x77aae6ac: 00c0dcc0 00f0caa6 00f0fbff 00a4a0a0 0x77aae6bc: 00808080 000000ff 0000ff00 0000ffff Backtrace: =>1 0x7fea1e53 X11DRV_DIB_BuildColorTable+0x173(physDev=0x7e042408, coloruse=0x1, depth=0x8, info=0x77aaebf8) [/home/jesse/wine/dlls/x11drv/dib.c:425] in x11drv (0x77aaea98) 2 0x7feaa20b X11DRV_DIB_CreateDIBSection+0x22b(physDev=0x7e042408, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec, section=0x0, offset=0x0, ovr_pitch=0x0) [/home/jesse/wine/dlls/x11drv/dib.c:4749] in x11drv (0x77aaeb5c) 3 0x77824ab3 DIB_CreateDIBSection+0xa3(hdc=0x5b5c, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec, section=0x0, offset=0x0, ovr_pitch=0x0) [/home/jesse/wine/dlls/gdi/dib.c:1107] in gdi32 (0x77aaeb90) 4 0x77824b28 CreateDIBSection+0x48(hdc=0x5b5c, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec, section=0x0, offset=0x0) [/home/jesse/wine/dlls/gdi/dib.c:1125] in gdi32 (0x77aaebb8) 5 0x690323bb 1680 in iml32 (0x7b1c7b8c) 6 0x00000264 (0x00000010) 7 0x00000000 (0x00000000) 0x7fea1e53 X11DRV_DIB_BuildColorTable+0x173 [/home/jesse/wine/dlls/x11drv/dib.c:425] in x11drv: movzbl 0xfffffbf4(%ebp,%eax,4),%eax 425 colorTable[i].rgbRed = pal_ents[*index].peRed;
I can add a breakpoint before we get here and try to step through, although the flow seems to skip around a bit.
Wine-dbg>b X11DRV_DIB_BuildColorTable Breakpoint 1 at 0x7fea1d04 X11DRV_DIB_BuildColorTable+0x24 [/home/jesse/wine/dlls/x11drv/dib.c:377] in x11drv Wine-dbg>cond 1 (coloruse == 1)
417 HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL); Wine-dbg>n 419 WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize); Wine-dbg>n 417 HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL); Wine-dbg>n 421 GetPaletteEntries(hpal, 0, 256, pal_ents); Wine-dbg>n 419 WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize); Wine-dbg>n 421 GetPaletteEntries(hpal, 0, 256, pal_ents); Wine-dbg>n 423 for(i = 0; i < colors; i++, index++) Wine-dbg>n 421 GetPaletteEntries(hpal, 0, 256, pal_ents); Wine-dbg>n 423 for(i = 0; i < colors; i++, index++) Wine-dbg>n 425 colorTable[i].rgbRed = pal_ents[*index].peRed; Wine-dbg>s 868 switch(rec->ExceptionCode) Wine-dbg>s 867 { Wine-dbg>s 868 switch(rec->ExceptionCode) Wine-dbg>s 873 if (!(rec->ExceptionCode = VIRTUAL_HandleFault( (void *)rec->ExceptionInformation[1] ))) Wine-dbg>s 1125 DWORD ret = EXCEPTION_ACCESS_VIOLATION;
I am using the latest Wine I built from CVS, after first encountering this problem in the 20050111 and 20050310 Gentoo ebuilds. I have a Linux 2.6.11 system with glibc 2.3.4 20040808 (including nptl), Xorg-x11 6.8.2-rc2 (Trident Cyberblade/i1 "trident_drv.o") @1024x768 16bpp. Also tried kernels 2.6.9 & 2.6.10 and 800x600 24bpp mode. Would appreciate any advice on how to proceed.
http://www.winehq.org/hypermail/wine-users/2005/03/0293.html http://www.winehq.org/hypermail/wine-users/2005/03/0296.html http://appdb.winehq.org/appview.php?appId=1867
Thanks, Jesse Z.
I am experiencing a crash during startup of an application (The Rosetta Stone 2.0.7a) under Wine. I reported this earlier on wine-users and after some debugging was advised to move to this list.
I am using the latest Wine I built from CVS, after first encountering this problem in the 20050111 and 20050310 Gentoo ebuilds. I have a Linux 2.6.11 system with glibc 2.3.4 20040808 (including nptl), Xorg-x11 6.8.2-rc2 (Trident Cyberblade/i1 "trident_drv.o") @1024x768 16bpp. Also tried kernels 2.6.9 & 2.6.10 and 800x600 24bpp mode. Would appreciate any advice on how to proceed.
I have attached a patch below which may fix the problem. Index is a WORD but yet we only have 256 entries in the palette that we get from GetPaletteEntries - if any of the values is more, we jump past the end of pal_ents. I've modified the function to allow access to all 65536 colour values and adjust for values that are beyond the range of valid palette indexes. The patch is completely untested but let me know if it fixes the issue.
Glenn.
Index: dlls/x11drv/dib.c =================================================================== RCS file: /home/wine/wine/dlls/x11drv/dib.c,v retrieving revision 1.23 diff -u -r1.23 dib.c --- dlls/x11drv/dib.c 1 Mar 2005 10:43:19 -0000 1.23 +++ dlls/x11drv/dib.c 23 Mar 2005 21:16:18 -0000 @@ -415,18 +415,25 @@ else { HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL); - PALETTEENTRY pal_ents[256]; + PALETTEOBJ * palPtr = GDI_GetObjPtr( hpal, PALETTE_MAGIC ); WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize); + int entry;
- GetPaletteEntries(hpal, 0, 256, pal_ents); + if( !palPtr ) return 0;
for(i = 0; i < colors; i++, index++) { - colorTable[i].rgbRed = pal_ents[*index].peRed; - colorTable[i].rgbGreen = pal_ents[*index].peGreen; - colorTable[i].rgbBlue = pal_ents[*index].peBlue; + if( *index > palPtr->logpalette.palNumEntries ) + entry = palPtr->logpalette.palNumEntries; + else + entry = *index; + + colorTable[i].rgbRed = palPtr->logpalette.palPalEntry[entry].peRed; + colorTable[i].rgbGreen = palPtr->logpalette.palPalEntry[entry].peGreen; + colorTable[i].rgbBlue = palPtr->logpalette.palPalEntry[entry].peBlue; colorTable[i].rgbReserved = 0; } + GDI_ReleaseObj( hpal ); } return colorTable; }
The patch worked like a charm. I guess it's true about arrays being evil :)
Thanks, Jesse Z.
<quote who="Glenn Wurster">
I have attached a patch below which may fix the problem. Index is a WORD but yet we only have 256 entries in the palette that we get from GetPaletteEntries - if any of the values is more, we jump past the end of pal_ents. I've modified the function to allow access to all 65536 colour values and adjust for values that are beyond the range of valid palette indexes. The patch is completely untested but let me know if it fixes the issue.
-
Glenn Wurster -
Jesse D Zbikowski