[Bug 35537] Easy Bridge version 4.0.2 installer crashes
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed May 7 11:32:06 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=35537
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Component|-unknown |winex11.drv
Summary|Cannot install Easy Bridge |Easy Bridge version 4.0.2
|version 4.0.2 |installer crashes
Ever confirmed|0 |1
--- Comment #24 from Anastasius Focht <focht at gmx.net> ---
Hello Paull,
I still can't reproduce this but your backtrace with Wine 1.7.14 shows at least
some potential problem.
(I removed the invalid address/symbol noise)
--- snip ---
Unhandled exception: page fault on read access to 0x00000008 in 32-bit code
(0x7e01804f).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:7e01804f ESP:0033e9f0 EBP:0033ea78 EFLAGS:00010246( R- -- I Z- -P- )
EAX:00000000 EBX:7e042ff4 ECX:0000000c EDX:00000000
ESI:7e04ce40 EDI:0033eb10
...
Backtrace:
=>0 0x7e01804f get_tile_pict+0xdf(wxr_format=WXR_NB_FORMATS, color=0x33eb10)
[/build/buildd/wine1.7-1.7.14/dlls/winex11.drv/xrender.c:1248] in winex11
(0x0033ea78)
1 0x7e01a90b xrenderdrv_ExtTextOut+0x22a(dev=0x18a4b8, x=0x18, y=0x3b,
flags=0x1004, lprect=0x33ecb8, wstr="Installing Easy Bridge 4.0.2", count=0x1c,
lpDx=0x0(nil)) [/build/buildd/wine1.7-1.7.14/dlls/winex11.drv/xrender.c:1387]
in winex11 (0x0033eb38)
2 0x7eb4c60e ExtTextOutW+0xf1d(hdc=*** Invalid address 0x0000000c ***
...
3 0x7eca357d DrawTextExW+0xa7c(hdc=*** Invalid address 0x0000000c ***
...
4 0x7eca4d73 DrawTextExA+0x2f2(hdc=*** Invalid address 0x0000000c ***
...
5 0x7eca4ed9 DrawTextA+0x88(hdc=*** Invalid address 0x0000000c ***
...
6 0x0046c98f in _ins0432._mp (+0x6c98e) (0x0033f804)
...
--- snip ---
Corresponding source:
http://source.winehq.org/git/wine.git/blob/refs/tags/wine-1.7.14:/dlls/winex11.drv/xrender.c#l1248
--- snip ---
1232 static Picture get_tile_pict( enum wxr_format wxr_format, const
XRenderColor *color)
1233 {
1234 static struct
1235 {
1236 Pixmap xpm;
1237 Picture pict;
1238 XRenderColor current_color;
1239 } tiles[WXR_NB_FORMATS], *tile;
1240
1241 tile = &tiles[wxr_format];
1242
1243 if(!tile->xpm)
1244 {
1245 XRenderPictureAttributes pa;
1246 XRenderPictFormat *pict_format = pict_formats[wxr_format];
1247
1248 tile->xpm = XCreatePixmap(gdi_display, root_window, 1, 1,
pict_format->depth);
...
--- snip ---
'wxr_format' parameter has value 'WXR_NB_FORMATS' = last enum "invalid"
meaning.
Source:
http://source.winehq.org/git/wine.git/blob/refs/tags/wine-1.7.14:/dlls/winex11.drv/xrender.c#l57
--- snip ---
57 enum wxr_format
58 {
59 WXR_FORMAT_MONO,
60 WXR_FORMAT_GRAY,
61 WXR_FORMAT_X1R5G5B5,
62 WXR_FORMAT_X1B5G5R5,
63 WXR_FORMAT_R5G6B5,
64 WXR_FORMAT_B5G6R5,
65 WXR_FORMAT_R8G8B8,
66 WXR_FORMAT_B8G8R8,
67 WXR_FORMAT_A8R8G8B8,
68 WXR_FORMAT_B8G8R8A8,
69 WXR_FORMAT_X8R8G8B8,
70 WXR_FORMAT_B8G8R8X8,
71 WXR_NB_FORMATS,
72 WXR_INVALID_FORMAT = WXR_NB_FORMATS
73 };
--- snip ---
The stack based 'tiles' array is accessed out-of-bounds off-by-one since it has
only WXR_NB_FORMATS elements (line 1239).
'tile->xpm' evaluates to NULL by chance.
'pict_formats' array has WXR_NB_FORMATS + 1 elements which means the last entry
is NULL hence 'pict_formats[WXR_NB_FORMATS]' will yield NULL.
Dereferencing 'pict_format->depth' causes the fault (page fault address
0x00000008 = 'depth' member offset).
The question is where did that invalid WXR_NB_FORMATS value come from.
get_tile_pict -> xrenderdrv_ExtTextOut -> 'physdev->format', physdev =
get_xrender_dev( dev )
Maybe some Wine/X11 guys can comment :)
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list