[Bug 9731] New: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Sep 21 14:56:29 CDT 2007 

http://bugs.winehq.org/show_bug.cgi?id=9731

           Summary: GdiConvertToDevmodeW trying to copy -32 bytes on memcpy
           Product: Wine
           Version: 0.9.45.
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: minor
          Priority: P2
         Component: wine-gdi-(printing)
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: myxfce at gmail.com


Created an attachment (id=8168)
 --> (http://bugs.winehq.org/attachment.cgi?id=8168)
Crash report

I'm having problems running an old Win 3.11 game named Mortuum. Wine crashes
before the game start. After some debugging, I noticed the crash happens in
file gdi32/driver.c on function DEVMODEW * WINAPI GdiConvertToDevmodeW(const
DEVMODEA *dmA).

This function tries to memcpy bytes from the structer dmA to the structure dmW
(that was allocated by a HeapAlloc()). Unfortunately, it tries to copy -32
bytes because dmA->dmSize is 0 bytes and CCHDEVICENAME is 32 bytes. I've
attached a small piece of code that shows where the memcpy is done around line
425 on that file.

...
    dmW = HeapAlloc(GetProcessHeap(), 0, dmW_size + dmA->dmDriverExtra);
    if (!dmW) return NULL;

    MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmDeviceName,
CCHDEVICENAME,dmW->dmDeviceName, CCHDEVICENAME);

//===============================CRASH=========================
    /* copy slightly more, to avoid long computations */
    memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA->dmSize -
CCHDEVICENAME);
//===============================CRASH=========================

    if (dmA->dmSize >= (const char *)dmA->dmFormName - (const char *)dmA +
CCHFORMNAME)
    {
        MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmFormName,
CCHFORMNAME,
                                       dmW->dmFormName, CCHFORMNAME);
        if (dmA->dmSize > (const char *)&dmA->dmLogPixels - (const char *)dmA)
            memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA->dmSize - ((const
char *)&dmA->dmLogPixels - (const char *)dmA));
    }
...

I tried to debug more to look for the root of the problem (why dmA->dmSize is
0) but there were too many calls and I couldn't figure out where the dmA
structure was allocated and popullated.

I've attached the crash report and if you need the game to test, just ask, it's
freeware. Tested on 0.9.44 and 0.9.45.


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list