Segfault in X11DRV_DIB_BuildColorTable (DIB_PAL_COLORS)

Jesse D Zbikowski jdz at aigc.net
Tue Mar 22 22:39:18 CST 2005 

I am experiencing a crash during startup of an application (The
Rosetta Stone 2.0.7a) under Wine.  I reported this earlier on
wine-users and after some debugging was advised to move to this list.

The line causing a problem is dlls/x11drv/dib.c:425

417             HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL);
418             PALETTEENTRY pal_ents[256];
419             WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize);
420
421             GetPaletteEntries(hpal, 0, 256, pal_ents);
422
423             for(i = 0; i < colors; i++, index++)
424             {
=>425                 colorTable[i].rgbRed = pal_ents[*index].peRed;
426                 colorTable[i].rgbGreen = pal_ents[*index].peGreen;
427                 colorTable[i].rgbBlue = pal_ents[*index].peBlue;
428                 colorTable[i].rgbReserved = 0;
429             }

This happens when X11DRV_DIB_BuildColorTable() is called with
coloruse==DIB_PAL_COLORS, meaning we use an 8-bit palette.  It seems
to me that (LPBYTE)info must be corrupt and is giving a corrupt value
to (WORD)index.

Wine-dbg>p i
0
Wine-dbg>p colorTable[i]
{rgbBlue=0, rgbGreen=0, rgbRed=0, rgbReserved=0}
Wine-dbg>p pal_ents
{{peRed=0, peGreen=0, peBlue=0, peFlags=0}, ... }
Wine-dbg>p pal_ents[0]
{peRed=, peGreen=
Exception c0000005
Wine-dbg>p index
0x77aaec20
Wine-dbg>p *index
No type or type mismatch
Wine-dbg>p info
fixme:winedbg:print_value ---error

Here is the backtrace.

fixme:font:GetKerningPairsW (0x1a28,0,(nil)): almost empty stub!
First chance exception: page fault on read access to 0x77ab71cc in 32-bit code (0x7fea1e53).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033
 EIP:7fea1e53 ESP:77aae66c EBP:77aaea98 EFLAGS:00010287(   - 00      RISP1C)
 EAX:000022d0 EBX:7fef22c4 ECX:7786aee0 EDX:00000000
 ESI:7e042900 EDI:77aaec20
Stack dump:
0x77aae66c:  00000044 00000000 00000100 77aae68c
0x77aae67c:  00000400 00000000 00000100 00000001
0x77aae68c:  00000000 00000080 00008000 00008080
0x77aae69c:  00800000 00800080 00808000 00c0c0c0
0x77aae6ac:  00c0dcc0 00f0caa6 00f0fbff 00a4a0a0
0x77aae6bc:  00808080 000000ff 0000ff00 0000ffff
Backtrace:
=>1 0x7fea1e53 X11DRV_DIB_BuildColorTable+0x173(physDev=0x7e042408, coloruse=0x1, depth=0x8, info=0x77aaebf8)
[/home/jesse/wine/dlls/x11drv/dib.c:425] in x11drv (0x77aaea98)
  2 0x7feaa20b X11DRV_DIB_CreateDIBSection+0x22b(physDev=0x7e042408, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec,
section=0x0, offset=0x0, ovr_pitch=0x0) [/home/jesse/wine/dlls/x11drv/dib.c:4749] in x11drv (0x77aaeb5c)
  3 0x77824ab3 DIB_CreateDIBSection+0xa3(hdc=0x5b5c, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec, section=0x0,
offset=0x0, ovr_pitch=0x0) [/home/jesse/wine/dlls/gdi/dib.c:1107] in gdi32 (0x77aaeb90)
  4 0x77824b28 CreateDIBSection+0x48(hdc=0x5b5c, bmi=0x77aaebf8, usage=0x1, bits=0x7d7703ec, section=0x0, offset=0x0)
[/home/jesse/wine/dlls/gdi/dib.c:1125] in gdi32 (0x77aaebb8)
  5 0x690323bb 1680 in iml32 (0x7b1c7b8c)
  6 0x00000264 (0x00000010)
  7 0x00000000 (0x00000000)
0x7fea1e53 X11DRV_DIB_BuildColorTable+0x173 [/home/jesse/wine/dlls/x11drv/dib.c:425] in x11drv: movzbl   
0xfffffbf4(%ebp,%eax,4),%eax
425                 colorTable[i].rgbRed = pal_ents[*index].peRed;

I can add a breakpoint before we get here and try to step through,
although the flow seems to skip around a bit.

Wine-dbg>b X11DRV_DIB_BuildColorTable
Breakpoint 1 at 0x7fea1d04 X11DRV_DIB_BuildColorTable+0x24 [/home/jesse/wine/dlls/x11drv/dib.c:377] in x11drv
Wine-dbg>cond 1 (coloruse == 1)

417             HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL);
Wine-dbg>n
419             WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize);
Wine-dbg>n
417             HPALETTE hpal = GetCurrentObject(physDev->hdc, OBJ_PAL);
Wine-dbg>n
421             GetPaletteEntries(hpal, 0, 256, pal_ents);
Wine-dbg>n
419             WORD *index = (WORD*) ((LPBYTE) info + (WORD) info->bmiHeader.biSize);
Wine-dbg>n
421             GetPaletteEntries(hpal, 0, 256, pal_ents);
Wine-dbg>n
423             for(i = 0; i < colors; i++, index++)
Wine-dbg>n
421             GetPaletteEntries(hpal, 0, 256, pal_ents);
Wine-dbg>n
423             for(i = 0; i < colors; i++, index++)
Wine-dbg>n
425                 colorTable[i].rgbRed = pal_ents[*index].peRed;
Wine-dbg>s
868         switch(rec->ExceptionCode)
Wine-dbg>s
867     {
Wine-dbg>s
868         switch(rec->ExceptionCode)
Wine-dbg>s
873                 if (!(rec->ExceptionCode = VIRTUAL_HandleFault( (void *)rec->ExceptionInformation[1] )))
Wine-dbg>s
1125        DWORD ret = EXCEPTION_ACCESS_VIOLATION;

I am using the latest Wine I built from CVS, after first encountering
this problem in the 20050111 and 20050310 Gentoo ebuilds.  I have a
Linux 2.6.11 system with glibc 2.3.4 20040808 (including nptl),
Xorg-x11 6.8.2-rc2 (Trident Cyberblade/i1 "trident_drv.o") @1024x768
16bpp.  Also tried kernels 2.6.9 & 2.6.10 and 800x600 24bpp
mode. Would appreciate any advice on how to proceed.

http://www.winehq.org/hypermail/wine-users/2005/03/0293.html
http://www.winehq.org/hypermail/wine-users/2005/03/0296.html
http://appdb.winehq.org/appview.php?appId=1867

Thanks,
Jesse Z.

More information about the wine-devel mailing list