[Bug 25362] Return to Castle Wolfenstein 1.0.x crashes (returned GL_EXTENSION > 4096 bytes, truncation code buggy, corrupts stack)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jun 18 04:42:43 CDT 2011


http://bugs.winehq.org/show_bug.cgi?id=25362

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download
             Status|UNCONFIRMED                 |RESOLVED
                URL|                            |http://www.brothersoft.com/
                   |                            |games/return-to-castle-wolf
                   |                            |enstein-single-player-downl
                   |                            |oad.html
                 CC|                            |focht at gmx.net
            Version|unspecified                 |1.3.8
         Resolution|                            |WONTFIX
            Summary|Error running Return to     |Return to Castle
                   |Castle Wolfenstein          |Wolfenstein 1.0.x crashes
                   |                            |(returned GL_EXTENSION >
                   |                            |4096 bytes, truncation code
                   |                            |buggy, corrupts stack)

--- Comment #2 from Anastasius Focht <focht at gmx.net> 2011-06-18 04:42:42 CDT ---
Hello,

confirming:

--- snip ---
...
0021:Ret  window proc 0x444940
(hwnd=0x1007a,msg=WM_COMMAND,wp=03000064,lp=0001008a) retval=00000000
0021:Ret  window proc 0x7569b9e8
(hwnd=0x1008a,msg=EM_REPLACESEL,wp=00000000,lp=019b5820) retval=00000001
0021:Ret  user32.SendMessageA() retval=00000001 ret=00444edc
0021:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5f746e65
ip=5f746e65 tid=0021
0021:trace:seh:raise_exception  info[0]=00000000
0021:trace:seh:raise_exception  info[1]=5f746e65
0021:trace:seh:raise_exception  eax=676f7270 ebx=7b893ff4 ecx=019be808
edx=019bf84a esi=00defc9c edi=019bf8bd
0021:trace:seh:raise_exception  ebp=019bfcc4 esp=019bf840 cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00010206
0021:trace:seh:call_vectored_handlers calling handler at 0x687ecde9
code=c0000005 flags=0
0021:trace:seh:call_vectored_handlers handler at 0x687ecde9 returned 0
0021:trace:seh:call_stack_handlers calling handler at 0x4c82fc code=c0000005
flags=0
...
Unhandled exception: page fault on read access to 0x5f746e65 in 32-bit code
(0x5f746e65).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:5f746e65 ESP:019bf840 EBP:019bfcc4 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:676f7270 EBX:7b893ff4 ECX:019be808 EDX:019bf84a
 ESI:00defc9c EDI:019bf8bd
Stack dump:
0x019bf840:  676f7270 5f6d6172 000a706f 00000000
0x019bf850:  004edc58 01171940 00000000 004edc68
0x019bf860:  01171140 00000000 004edc94 01171540
0x019bf870:  004ebed0 00501330 00000000 01171159
0x019bf880:  004ebb50 004ebb48 004edc88 004edc7c
0x019bf890:  00447c3b 00000000 00000001 00004000
Backtrace:
=>0 0x5f746e65 (0x019bfcc4)
  1 0x00442246 in wolfspdemo (+0x42245) (0x019bfe60)
  2 0x7b85fa50 call_process_entry+0xb() in kernel32 (0x019bfe78) 
...
0x5f746e65: -- no code accessible --
Modules:
Module    Address            Debug info    Name (74 modules)
PE      400000- 11bc000    Export          wolfspdemo
ELF    20000000-200b8000    Deferred        opengl32<elf>
  \-PE    20020000-200b8000    \               opengl32
ELF    200b8000-200ba000    Deferred        libnvidia-tls.so.260.19.06
ELF    200ba000-21757000    Deferred        libnvidia-glcore.so.260.19.06 
--- snip ---

It's a bug in the game itself.
The RTCW code collects system/graphics card specs and uses 4096 byte buffer on
stack for sprintf-like formatting.
Unfortunately when it comes to OpenGL extensions, the extension string returned
is a bit longer on various systems.

--- snip ---
...
0044762A    68 40111701     PUSH OFFSET 01171140          ; ASCII "GeForce GT
425M/PCI/SSE2"
0044762F    68 68DC4E00     PUSH OFFSET 004EDC68          ; ASCII "GL_RENDERER:
%s
"
00447634    6A 00           PUSH 0
00447636    FF15 00211601   CALL DWORD PTR DS:[1162100]   ; sprintf like
formtting
0044763C    68 40191701     PUSH OFFSET 01171940          ; ASCII "4.1.0 NVIDIA
260.19.06"
00447641    68 58DC4E00     PUSH OFFSET 004EDC58          ; ASCII "GL_VERSION:
%s
"
00447646    6A 00           PUSH 0
00447648    FF15 00211601   CALL DWORD PTR DS:[1162100]   ; sprintf like
formtting
0044764E    68 401D1701     PUSH OFFSET 01171D40          ; ASCII "
GL_ARB_blend_func_extended GL_ARB_color_buffer_float GL_ARB_compatibility
GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_depth_clamp
GL_ARB_depth_texture GL_ARB_draw_buffers GL_ARB_draw_buffers_blend
GL_ARB_draw_indirect GL_ARB_dra"...
00447653    68 44DC4E00     PUSH OFFSET 004EDC44          ; ASCII
"GL_EXTENSIONS: %s
"
00447658    6A 00           PUSH 0
; <goes boom upon return due to stack corruption>
0044765A    FF15 00211601   CALL DWORD PTR DS:[1162100]   ; sprintf like
formtting
; not reached
--- snip ---

My OpenGL extensions string is ~5600 bytes.
The game code allocates 4096 bytes on stack and "truncates" any longer string -
not very elegant.
Unfortunately it calculates the buffer bounds wrong by 0x10 bytes excess and
this leads to overwrite of return address while truncating.
It doesn't happen if the OpenGL extension string is < 4096 bytes.

Return address overwritten before return: ==> indicates ESP:

--- snip ---
$-10       6D617267
$-C        5F4C4720
$-8        665F564E
$-4        6D676172
$ ==>     /5F746E65  ; damaged, should be return address
$+4       |676F7270  ; damaged, should be NULL
$+8       |5F6D6172  ; damaged, should be format string
$+C       |000A706F  ; damaged, should be GL_EXTENSIONS string ptr
$+10      |00000000
$+14      |004EDC58  ; ASCII "GL_VERSION: %s"
$+18      |01171940  ; ASCII "4.1.0 NVIDIA 260.19.06"
$+1C      |00000000
$+20      |004EDC68  ; ASCII "GL_RENDERER: %s"
$+24      |01171140  ; ASCII "GeForce GT 425M/PCI/SSE2"
$+28      |00000000
$+2C      |004EDC94  ; ASCII 0A,"GL_VENDOR:"
$+30      |01171540  ; ASCII "NVIDIA Corporation"
$+34      |004EBED0  ; ASCII "sys_cpustring"
$+38      |00501330
$+3C      |00000000
$+40      |01171159
$+44      |004EBB50  ; ASCII "disabled"
$+48      |004EBB48  ; ASCII "enabled"
$+4C      |004EDC88  ; ASCII "windowed"
$+50      |004EDC7C  ; ASCII "fullscreen"
$+54      |00447C3B  ; RETURN from WolfSPDemo.004475E0 to WolfSPDemo.00447C3B
--- snip ---

Truncating GL_EXTENSION string to be returned to length < 4096 doesn't make
sense.

Either get a patch for the game (if it exists) or patch the game executable
which isn't feasible for such old game.

Demo version: Wolf Demo 1.0.1

$ sha1sum wolf_spdemo.exe 
wine --68aa8b7df1bf197fabc4f762d74ca41b3bb2b0b7  wolf_spdemo.exe

$ wine --version
wine-1.3.22-164-g17e6d75

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list