[Bug 25362] Return to Castle Wolfenstein 1.0.x crashes (returned GL_EXTENSION > 4096 bytes, truncation code buggy, corrupts stack)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Jun 18 04:42:43 CDT 2011
http://bugs.winehq.org/show_bug.cgi?id=25362
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download
Status|UNCONFIRMED |RESOLVED
URL| |http://www.brothersoft.com/
| |games/return-to-castle-wolf
| |enstein-single-player-downl
| |oad.html
CC| |focht at gmx.net
Version|unspecified |1.3.8
Resolution| |WONTFIX
Summary|Error running Return to |Return to Castle
|Castle Wolfenstein |Wolfenstein 1.0.x crashes
| |(returned GL_EXTENSION >
| |4096 bytes, truncation code
| |buggy, corrupts stack)
--- Comment #2 from Anastasius Focht <focht at gmx.net> 2011-06-18 04:42:42 CDT ---
Hello,
confirming:
--- snip ---
...
0021:Ret window proc 0x444940
(hwnd=0x1007a,msg=WM_COMMAND,wp=03000064,lp=0001008a) retval=00000000
0021:Ret window proc 0x7569b9e8
(hwnd=0x1008a,msg=EM_REPLACESEL,wp=00000000,lp=019b5820) retval=00000001
0021:Ret user32.SendMessageA() retval=00000001 ret=00444edc
0021:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5f746e65
ip=5f746e65 tid=0021
0021:trace:seh:raise_exception info[0]=00000000
0021:trace:seh:raise_exception info[1]=5f746e65
0021:trace:seh:raise_exception eax=676f7270 ebx=7b893ff4 ecx=019be808
edx=019bf84a esi=00defc9c edi=019bf8bd
0021:trace:seh:raise_exception ebp=019bfcc4 esp=019bf840 cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00010206
0021:trace:seh:call_vectored_handlers calling handler at 0x687ecde9
code=c0000005 flags=0
0021:trace:seh:call_vectored_handlers handler at 0x687ecde9 returned 0
0021:trace:seh:call_stack_handlers calling handler at 0x4c82fc code=c0000005
flags=0
...
Unhandled exception: page fault on read access to 0x5f746e65 in 32-bit code
(0x5f746e65).
Register dump:
CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
EIP:5f746e65 ESP:019bf840 EBP:019bfcc4 EFLAGS:00010206( R- -- I - -P- )
EAX:676f7270 EBX:7b893ff4 ECX:019be808 EDX:019bf84a
ESI:00defc9c EDI:019bf8bd
Stack dump:
0x019bf840: 676f7270 5f6d6172 000a706f 00000000
0x019bf850: 004edc58 01171940 00000000 004edc68
0x019bf860: 01171140 00000000 004edc94 01171540
0x019bf870: 004ebed0 00501330 00000000 01171159
0x019bf880: 004ebb50 004ebb48 004edc88 004edc7c
0x019bf890: 00447c3b 00000000 00000001 00004000
Backtrace:
=>0 0x5f746e65 (0x019bfcc4)
1 0x00442246 in wolfspdemo (+0x42245) (0x019bfe60)
2 0x7b85fa50 call_process_entry+0xb() in kernel32 (0x019bfe78)
...
0x5f746e65: -- no code accessible --
Modules:
Module Address Debug info Name (74 modules)
PE 400000- 11bc000 Export wolfspdemo
ELF 20000000-200b8000 Deferred opengl32<elf>
\-PE 20020000-200b8000 \ opengl32
ELF 200b8000-200ba000 Deferred libnvidia-tls.so.260.19.06
ELF 200ba000-21757000 Deferred libnvidia-glcore.so.260.19.06
--- snip ---
It's a bug in the game itself.
The RTCW code collects system/graphics card specs and uses 4096 byte buffer on
stack for sprintf-like formatting.
Unfortunately when it comes to OpenGL extensions, the extension string returned
is a bit longer on various systems.
--- snip ---
...
0044762A 68 40111701 PUSH OFFSET 01171140 ; ASCII "GeForce GT
425M/PCI/SSE2"
0044762F 68 68DC4E00 PUSH OFFSET 004EDC68 ; ASCII "GL_RENDERER:
%s
"
00447634 6A 00 PUSH 0
00447636 FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like
formtting
0044763C 68 40191701 PUSH OFFSET 01171940 ; ASCII "4.1.0 NVIDIA
260.19.06"
00447641 68 58DC4E00 PUSH OFFSET 004EDC58 ; ASCII "GL_VERSION:
%s
"
00447646 6A 00 PUSH 0
00447648 FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like
formtting
0044764E 68 401D1701 PUSH OFFSET 01171D40 ; ASCII "
GL_ARB_blend_func_extended GL_ARB_color_buffer_float GL_ARB_compatibility
GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_depth_clamp
GL_ARB_depth_texture GL_ARB_draw_buffers GL_ARB_draw_buffers_blend
GL_ARB_draw_indirect GL_ARB_dra"...
00447653 68 44DC4E00 PUSH OFFSET 004EDC44 ; ASCII
"GL_EXTENSIONS: %s
"
00447658 6A 00 PUSH 0
; <goes boom upon return due to stack corruption>
0044765A FF15 00211601 CALL DWORD PTR DS:[1162100] ; sprintf like
formtting
; not reached
--- snip ---
My OpenGL extensions string is ~5600 bytes.
The game code allocates 4096 bytes on stack and "truncates" any longer string -
not very elegant.
Unfortunately it calculates the buffer bounds wrong by 0x10 bytes excess and
this leads to overwrite of return address while truncating.
It doesn't happen if the OpenGL extension string is < 4096 bytes.
Return address overwritten before return: ==> indicates ESP:
--- snip ---
$-10 6D617267
$-C 5F4C4720
$-8 665F564E
$-4 6D676172
$ ==> /5F746E65 ; damaged, should be return address
$+4 |676F7270 ; damaged, should be NULL
$+8 |5F6D6172 ; damaged, should be format string
$+C |000A706F ; damaged, should be GL_EXTENSIONS string ptr
$+10 |00000000
$+14 |004EDC58 ; ASCII "GL_VERSION: %s"
$+18 |01171940 ; ASCII "4.1.0 NVIDIA 260.19.06"
$+1C |00000000
$+20 |004EDC68 ; ASCII "GL_RENDERER: %s"
$+24 |01171140 ; ASCII "GeForce GT 425M/PCI/SSE2"
$+28 |00000000
$+2C |004EDC94 ; ASCII 0A,"GL_VENDOR:"
$+30 |01171540 ; ASCII "NVIDIA Corporation"
$+34 |004EBED0 ; ASCII "sys_cpustring"
$+38 |00501330
$+3C |00000000
$+40 |01171159
$+44 |004EBB50 ; ASCII "disabled"
$+48 |004EBB48 ; ASCII "enabled"
$+4C |004EDC88 ; ASCII "windowed"
$+50 |004EDC7C ; ASCII "fullscreen"
$+54 |00447C3B ; RETURN from WolfSPDemo.004475E0 to WolfSPDemo.00447C3B
--- snip ---
Truncating GL_EXTENSION string to be returned to length < 4096 doesn't make
sense.
Either get a patch for the game (if it exists) or patch the game executable
which isn't feasible for such old game.
Demo version: Wolf Demo 1.0.1
$ sha1sum wolf_spdemo.exe
wine --68aa8b7df1bf197fabc4f762d74ca41b3bb2b0b7 wolf_spdemo.exe
$ wine --version
wine-1.3.22-164-g17e6d75
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list