mmio: Ensure FOURCC string conversions are null-terminated.
Tim Cadogan-Cowper
tccowper at yahoo.com.au
Sun Jul 18 05:08:37 CDT 2010
Three TRACE debug calls in the mmioDescend function of mmio.c attempt
to print FOURCC data, by directly casting it to LPCSTR. This is
dangerous as: (i) FOURCC data types are DWORDs, i.e. four bytes (one for
each char), with no null terminating byte (see
http://msdn.microsoft.com/en-us/library/dd375802%28VS.85%29.aspx); and
(ii) it assumes the byte order on the host architecture is little endian.
Because the LPCSTR casts are not necessarily null-terminated there will
occasionally be buffer overflows in mmio's TRACE debug strings, with a
consequent crash to desktop and debug output beginning with 'wine_dbg_vprintf:
debugstr buffer overflow...' For a consistent and predictable case where this
occurs, see Bug 10280 "Oblivion: Horse Armour Crash"
(http://bugs.winehq.org/show_bug.cgi?id=10280).
This patch fixes the problem (and any crashes caused by it) by using a
new internal function in mmio - mmioFOURCCToString - which converts FOURCC
data to strings that are correctly null-terminated and respect byte order.
I have tested with Oblivion and can confirm it fixes Bug 10280 on my
machine (ubuntu 10.04). Furthermore the patch will ensure that chunk IDs and
fourccTypes are correctly printed in the mmio debug channel (at the moment
they are not).
Tim
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mmio - Ensure FOURCC string conversions are null-terminated.txt
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20100718/d45e047c/attachment-0001.txt>
More information about the wine-patches
mailing list