[Bug 37907] The Incredible Adventures of Van Helsing (64-bit, Steam) crashes on startup (loading of frames from .ani cursors causes heap corruption)
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Jan 16 14:08:14 CST 2015
https://bugs.winehq.org/show_bug.cgi?id=37907
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Component|-unknown |user32
Summary|The Incredible Adventures |The Incredible Adventures
|of Van Helsing (64-bit, |of Van Helsing (64-bit,
|Steam) crashes on startup |Steam) crashes on startup
| |(loading of frames from
| |.ani cursors causes heap
| |corruption)
Ever confirmed|0 |1
--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
The game suffers from a nasty heap corruption which later manifests in crashes
in unrelated areas/APIs.
Unfortunately debugging hides the crash. The game is multi-threaded and any
change of timing due to stepping/breakins results in different heap usage from
multiple threads, preventing the combination where the block corruption hits
DCE lists.
(registry settings for relay exclude removed to show internal calls before the
crash)
--- snip ---
...
0023:trace:d3d:wined3d_init Initializing adapters.
0023:trace:d3d:wined3d_adapter_init adapter 0xadc30, ordinal 0.
0023:Call user32.GetDC(00000000) ret=7f076d69983c
0023:trace:win:GetDCEx hwnd 0x10020, hrgnClip (nil), flags 00000003
0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298
0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298
0023:Call ntdll.RtlLeaveCriticalSection(7f076cfa8040) ret=7f076cd082ae
0023:Ret ntdll.RtlLeaveCriticalSection() retval=00000000 ret=7f076cd082ae
0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298
0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298
0023:Call ntdll.RtlLeaveCriticalSection(7f076cfa8040) ret=7f076cd082ae
0023:Ret ntdll.RtlLeaveCriticalSection() retval=00000000 ret=7f076cd082ae
0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298
0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7f076ccea1fc
ip=7f076ccea1fc tid=0023
0023:trace:seh:raise_exception rax=0001004000000000 rbx=000000000023f7b0
rcx=00007f0774652a9b rdx=0001004000000000
0023:trace:seh:raise_exception rsi=00007f0774652a94 rdi=00007f0774652a50
rbp=000000000023d160 rsp=000000000023d010
0023:trace:seh:raise_exception r8=0000003071e48cfd r9=0000000000000021
r10=0000000000000000 r11=0000003071f811c0
0023:trace:seh:raise_exception r12=0000000000000008 r13=000000000023f7b0
r14=0000000000000320 r15=0000000000000000
--- snip ---
Corruption in DCE list causes the crash.
Debugger session:
--- snip ---
...
Wine-dbg>info process
pid threads executable (all id:s are in hex)
>00000022 4 'VanHelsing_x64.exe'
00000020 2 'explorer.exe'
0000000e 6 'services.exe'
00000019 3 \_ 'plugplay.exe'
00000012 4 \_ 'winedevice.exe'
Wine-dbg>info threads
process tid prio (all id:s are in hex)
...
00000020 explorer.exe
00000024 0
00000021 0
00000022 (D) C:\The Incredible Adventures of Van Helsing\VanHelsing_x64.exe
00000027 0
00000026 0
00000025 0
00000023 1 <==
...
Wine-dbg>bt
Backtrace:
=>0 0x00007ff9da7e4d3a map_fileW+0xf6(name="C:\The Incredible Adventures of Van
Helsing\UI\Cursors\magic.ani", filesize=0x23f320)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:314] in
user32 (0x000000000023f2c0)
1 0x00007ff9da7e7d48 CURSORICON_LoadFromFile+0x9a(filename="C:\The Incredible
Adventures of Van Helsing\UI\Cursors\magic.ani", width=0x20, height=0x20,
depth=0x20, fCursor=0x1, loadflags=0x50)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1351] in
user32 (0x000000000023f360)
2 0x00007ff9da7e8063 CURSORICON_Load+0x113(hInstance=0x140000000,
name="C:\The Incredible Adventures of Van Helsing\UI\Cursors\magic.ani",
width=0x20, height=0x20, depth=0x20, fCursor=0x1, loadflags=0x50)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1413] in
user32 (0x000000000023f440)
3 0x00007ff9da7eca1e LoadImageW+0x1b2(hinst=0x140000000, name="C:\The
Incredible Adventures of Van Helsing\UI\Cursors\magic.ani", type=0x2,
desiredx=0x20, desiredy=0x20, loadflags=0x50)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:2669] in
user32 (0x000000000023f540)
4 0x00000001405a342b in vanhelsing_x64 (+0x5a342a) (0x000000000023f650)
5 0x00000001405a3835 in vanhelsing_x64 (+0x5a3834) (0x000000000023f7d0)
6 0x0000000140602f6b in vanhelsing_x64 (+0x602f6a) (0x000000000023f7d0)
7 0x00000001409a8a64 in vanhelsing_x64 (+0x9a8a63) (0x000000000023fd20)
...
Wine-dbg>n
CURSORICON_LoadFromFile () at
/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1352
1352 if (!bits)
Wine-dbg>n
1356 if (memcmp( bits, "RIFF", 4 ) == 0)
Wine-dbg>p bits
"RIFFóΓ"
Wine-dbg>n
1358 hIcon = CURSORICON_CreateIconFromANI( bits, filesize, width,
height, depth, !fCursor, loadflags );
Wine-dbg>s
CURSORICON_CreateIconFromANI () at
/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1095
1095 {
Wine-dbg>p header
{header_size=0x24, num_frames=0xf, num_steps=0xf, width=0x40, height=0x40,
bpp=0x20, num_planes=0x1, display_rate=0x5, flags=0x1}
...
Wine-dbg>n
1168 frames = HeapAlloc( GetProcessHeap(), 0,
sizeof(DWORD)*header.num_frames );
; 0x3C (0xF*4) -> [3C6C0..3C6FC]
Wine-dbg>x/100x frames
0x000000000003c6c0: 00010170 00000000 00010150 00000000
0x000000000003c6d0: 00000000 00000000 3f800000 00000000
0x000000000003c6e0: 00000000 00000001 7fffffff 7fffffff
0x000000000003c6f0: 80000000 80000000 7c8cbfc8 00000000
0x000000000003c700: 0003c6b8 00000000 00002018 08455355 ; HEAP magic
0x000000000003c710: 00000020 00000000 00000020 00000000
0x000000000003c720: 00000000 00000000 00000000 00000000
...
Wine-dbg>n
1185 for (i=0; i<header.num_frames; i++)
<end of loop>
...
Wine-dbg>x/100x frames
0x000000000003c6c0: 00020056 00000000 0002005a 00000000
0x000000000003c6d0: 00020058 00000000 00020064 00000000
0x000000000003c6e0: 00020062 00000000 00020060 00000000
0x000000000003c6f0: 0002005e 00000000 0002005c 00000000
0x000000000003c700: 00030046 00000000 00020094 00000000
0x000000000003c710: 00020092 00000000 00020090 00000000
0x000000000003c720: 0002008e 00000000 00000000 00000000
0x000000000003c730: 00000000 00000000 00000000 00000000
...
--- snip ---
Source:
http://source.winehq.org/git/wine.git/blob/762aef661318cb643ce393af40267f2d84f026c3:/dlls/user32/cursoricon.c#l1093
--- snip ---
1093 static HCURSOR CURSORICON_CreateIconFromANI( const BYTE *bits, DWORD
bits_size, INT width, INT height,
1094 INT depth, BOOL is_icon, UINT loadflags )
1095 {
1096 struct animated_cursoricon_object *ani_icon_data;
1097 struct cursoricon_object *info;
1098 DWORD *frame_rates = NULL;
1099 DWORD *frame_seq = NULL;
1100 ani_header header = {0};
1101 BOOL use_seq = FALSE;
1102 HCURSOR cursor = 0;
1103 UINT i;
1104 BOOL error = FALSE;
1105 HICON *frames;
...
1168 frames = HeapAlloc( GetProcessHeap(), 0,
sizeof(DWORD)*header.num_frames );
1169 if (!frames)
1170 {
1171 free_icon_handle( cursor );
1172 return 0;
1173 }
--- snip ---
HICON = HANDLE = 64-bit on 64-bit but the array is allocated with hard-coded
32-bit element size instead using 'sizeof(HICON)'.
With that part fixed the crash is gone and the game runs into next bugs (same
as 32-bit version) - already reported.
--- snip ---
...
fixme:d3dx:ID3DXFontImpl_DrawTextA iface 0xd1d30, sprite (nil), string
"Measuring Hardware Performance", count 30, rect (300,295)-(800,600), format 0,
color 0xffffffff stub!
fixme:d3dcompiler:compile_shader Compilation target "fx_2_0" not yet supported
fixme:d3dx:d3dx9_effect_init Failed to parse effect, hr 0x8876086c.
wine: Unhandled page fault on read access to 0x00000000 at address 0x1404845d2
(thread 0023), starting debugger...
...
--- snip ---
$ wine --version
wine-1.7.34-60-gd6450cf
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list