[Bug 45034] Hired Team: Trial Gold(2001) crashes with setup_exception_record stack overflow ( GL_EXTENSION string overflow)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Apr 21 04:21:54 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45034
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
CC| |focht at gmx.net
Summary|Hired Team: Trial |Hired Team: Trial
|Gold(2001) crashes with |Gold(2001) crashes with
|setup_exception_record |setup_exception_record
|stack overflow |stack overflow
| |(GL_EXTENSION string
| |overflow)
Status|UNCONFIRMED |RESOLVED
--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
dupe of bug 25362
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/NMG/HTT/Bin
$ WINEDEBUG=+seh,+relay wine ./Shine.exe >>log.txt 2>&1
...
0039:Call opengl32.glGetString(00001f03) ret=2005f303
0039:Ret opengl32.glGetString() retval=00176048 ret=2005f303
0039:Call msvcrt.vsprintf(0032de54,20086ad4 "GL_EXTENSIONS:\n",0032e664)
ret=1013f442
0039:Ret msvcrt.vsprintf() retval=0000000f ret=1013f442
0039:Call msvcrt.vsprintf(0032cd44,0032de54 "GL_EXTENSIONS:\n",0032dd50)
ret=101251a7
0039:Ret msvcrt.vsprintf() retval=0000000f ret=101251a7
...
0039:Call msvcrt.strtok(0032e670 "GL_ARB_multisample GL_EXT_abgr GL_EXT_bgra
GL_EXT_blend_color GL_EXT_blend_minmax GL_EXT_blend_subtract
GL_EXT_copy_texture GL_EXT_polygon_offset GL_EXT_subtexture
GL_EXT_texture_object GL_EXT_vertex_array GL_EXT_compiled_vertex_array
GL_EXT_texture GL_EXT_texture3D GL_IBM_rasterpos_clip GL_ARB_point"...,2007f430
" ") ret=2005f35b
0039:Ret msvcrt.strtok() retval=0032e670 ret=2005f35b
0039:Call msvcrt.vsprintf(0032de50,20086acc " %s\n",0032e660) ret=1013f442
0039:Ret msvcrt.vsprintf() retval=00000015 ret=1013f442
0039:Call msvcrt.vsprintf(0032cd40,0032de50 " GL_ARB_multisample\n",0032dd4c)
ret=101251a7
0039:Ret msvcrt.vsprintf() retval=00000015 ret=101251a7
...
0039:Call msvcrt.vsprintf(0032d944,0032de54 "\n",0032dd50) ret=1013c33e
0039:Ret msvcrt.vsprintf() retval=00000001 ret=1013c33e
0039:Call msvcrt.strchr(0032d944 "\n",0000000a) ret=1013c374
0039:Ret msvcrt.strchr() retval=0032d944 ret=1013c374
0039:Call msvcrt.strncpy(00c18000,00c13c00 "",000001ff) ret=1013c3e8
0039:Ret msvcrt.strncpy() retval=00c18000 ret=1013c3e8
0039:Call msvcrt.strncat(00c18000 "",0032d944 "\n",00000000) ret=1013c426
0039:Ret msvcrt.strncat() retval=00c18000 ret=1013c426
0039:Call msvcrt.vsprintf(0032d524,00c18000 "",0032d930) ret=1013c232
0039:Ret msvcrt.vsprintf() retval=00000000 ret=1013c232
0039:Call msvcrt.strncpy(00be8000,0032d524 "",000001ff) ret=1013c2dd
0039:Ret msvcrt.strncpy() retval=00be8000 ret=1013c2dd
0039:Call msvcrt._ftol() ret=1013c2eb
0039:Ret msvcrt._ftol() retval=0000000000000000 ret=1013c2eb
0039:Call msvcrt._ftol() ret=10127605
0039:Ret msvcrt._ftol() retval=00000000000347c3 ret=10127605
0039:Call msvcrt.strchr(0032d944 "",0000000a) ret=1013c374
0039:Ret msvcrt.strchr() retval=00000000 ret=1013c374
0039:Call msvcrt.strncat(00c13c00 "",0032d944 "",000001ff) ret=1013c49e
0039:Ret msvcrt.strncat() retval=00c13c00 ret=1013c49e
0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x2005f39f
ip=2005f39f tid=0039
0039:trace:seh:raise_exception info[0]=00000000
0039:trace:seh:raise_exception info[1]=61703042
0039:trace:seh:raise_exception eax=00000000 ebx=0133a000 ecx=0032f7a0
edx=61703032 esi=20086ac0 edi=0032fe2b
0039:trace:seh:raise_exception ebp=0032f7ac esp=0032e664 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210212
0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c0000005
flags=0
0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x616c5f67
ip=616c5f67 tid=0039
0039:trace:seh:raise_exception info[0]=00000000
0039:trace:seh:raise_exception info[1]=616c5f67
0039:trace:seh:raise_exception eax=0032e1fc ebx=00000023 ecx=616c5f67
edx=7bc91675 esi=0000002b edi=0000002b
0039:trace:seh:raise_exception ebp=0032e1a8 esp=0032e17c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210216
0039:trace:seh:call_stack_handlers calling handler at 0x7bc91675 code=c0000005
flags=0
0039:trace:seh:call_stack_handlers handler at 0x7bc91675 returned 2
0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c0000005
flags=10
...
0039:trace:seh:call_stack_handlers calling handler at 0x616c5f67 code=c00000fd
flags=10
0039:err:seh:setup_exception_record stack overflow 1408 bytes in thread 0039
eip f7c635fd esp 00230db0 stack 0x230000-0x231000-0x330000
--- snip ---
Broken code in 'RendOGL.dll' for proof:
Executable modules:
Base = 20000000
Size = 00477000 (4681728.)
Entry = 2006E0DD
Name = RendOGL
Type =
File version =
Static links = GDI32, ijl15, KERNEL32, MSVCRT, png, Sipl, USER32, WINMM, zlib
Path = C:\Program Files (x86)\NMG\HTT\Bin\RendOGL.dll
--- snip ---
2005EFF0 PUSH EBP
2005EFF1 MOV EBP,ESP
2005EFF3 PUSH -1
2005EFF5 PUSH 2006F450
2005EFFA MOV EAX,DWORD PTR FS:[0]
2005F000 PUSH EAX
2005F001 MOV DWORD PTR FS:[0],ESP
2005F008 PUSH ECX
2005F009 MOV EAX,112C
2005F00E CALL 2006DE80 ; allocate 0x112C on stack
...
2005F2F5 ADD ESP,10
2005F2F8 PUSH 1F03 ; enum GL_EXTENSIONS
2005F2FD CALL DWORD PTR DS:[203992B4] ; opengl32.glGetString()
2005F303 MOV DWORD PTR DS:[EBX+4444],EAX ; result buffer
2005F309 MOV EAX,DWORD PTR DS:[2041D0B4]
2005F30E PUSH OFFSET 20086AD4 ; ASCII "GL_EXTENSIONS:"
2005F313 PUSH 4
2005F315 MOV ECX,DWORD PTR DS:[EAX]
2005F317 PUSH EAX
2005F318 CALL DWORD PTR DS:[ECX+3C] ; log string/message
2005F31B MOV EDI,DWORD PTR DS:[EBX+4444]
2005F321 OR ECX,FFFFFFFF
2005F324 XOR EAX,EAX
2005F326 ADD ESP,0C
2005F329 REPNE SCAS BYTE PTR ES:[EDI]
2005F32B NOT ECX
2005F32D SUB EDI,ECX
2005F32F LEA EDX,[EBP-113C]
2005F335 MOV EAX,ECX
2005F337 MOV ESI,EDI
2005F339 MOV EDI,EDX
2005F33B SHR ECX,2
2005F33E REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; corrupt stk
2005F340 MOV ECX,EAX
2005F342 PUSH OFFSET 2007F430
2005F347 AND ECX,00000003
2005F34A REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
2005F34C MOV ESI,DWORD PTR DS:[<&MSVCRT.strtok>]
2005F352 LEA ECX,[EBP-113C]
2005F358 PUSH ECX
2005F359 CALL ESI ; MSVCRT.strtok
2005F35B ADD ESP,8
2005F35E TEST EAX,EAX
2005F360 JE SHORT 2005F382 ; all extensions processed
2005F362 MOV ECX,DWORD PTR DS:[2041D0B4]
2005F368 PUSH EAX
2005F369 PUSH OFFSET 20086ACC ; ASCII " %s"
2005F36E PUSH 4
2005F370 MOV EDX,DWORD PTR DS:[ECX]
2005F372 PUSH ECX
2005F373 CALL DWORD PTR DS:[EDX+3C] ; log string/message
2005F376 ADD ESP,10
2005F379 PUSH OFFSET 2007F430
2005F37E PUSH 0
2005F380 JMP SHORT 2005F359
2005F382 MOV EAX,DWORD PTR DS:[2041D0B4]
2005F387 PUSH OFFSET 2007D1F8
2005F38C PUSH 4
2005F38E PUSH EAX
2005F38F MOV ECX,DWORD PTR DS:[EAX]
2005F391 CALL DWORD PTR DS:[ECX+3C] ; log string/message
2005F394 MOV EDX,DWORD PTR SS:[EBP-1C] ; garbage due to stack corrupt
2005F397 ADD ESP,0C
2005F39A MOV ESI,OFFSET 20086AC0 ; ASCII "FullScreen"
2005F39F MOV EAX,DWORD PTR DS:[EDX+10] ; *boom*
2005F3A2 TEST EAX,EAX
2005F3A4 JNE SHORT 2005F3AB
...
--- snip ---
Game starts fine if you work around with:
--- snip ---
$ export MESA_EXTENSION_MAX_YEAR=2001
$ wine ./Shine.exe
--- snip ---
Tidbit: You can configure the game to windowed mode ('fullscreen=0') and custom
resolutions by editing 'Shine.ini'.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/NMG/HTT/Bin
$ grep -Hrni -B 5 fullscreen Shine.ini
Shine.ini-18-ZDepth = 16
Shine.ini-19-StencilDepth = 8
Shine.ini-20-width = 1024
Shine.ini-21-height = 768
Shine.ini-22-colordepth = 16
Shine.ini:23:fullscreen = 0
--- snip ---
ProtectionID scan:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\Program Files (x86)\NMG\HTT\Bin\Shine.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 28672 (07000h) Byte(s)
| Machine: 0x14C (I386)
Compilation TimeStamp : 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT)
[TimeStamp] 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT) | PE Header | - |
Offset: 0x000000F0 | VA: 0x004000F0 | -
[TimeStamp] 0x3A6D5691 -> Tue 23rd Jan 2001 10:01:53 (GMT) | Export | - |
Offset: 0x00002014 | VA: 0x00402014 | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100)
[Entrypoint Section Entropy] : 5.40 (section #0) ".text " | Size : 0x20C
(524) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 6 (0x6) | ImageSize 0x7000 (28672) byte(s)
[Export] 100% of function(s) (3 of 3) are in file | 0 are forwarded | 3 code |
0 data | 0 uninit data | 0 unknown |
[ModuleReport] [IAT] Modules -> ShineEng.dll | USER32.dll | MSVCRT.dll |
KERNEL32.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.246 Second(s) [0000000F6h (246) tick(s)] [506 of 580 scan(s)
done]
Scanning -> C:\Program Files (x86)\NMG\HTT\Bin\ShineEng.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1765376 (01AF000h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT)
[TimeStamp] 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT) | PE Header | - |
Offset: 0x00000128 | VA: 0x10000128 | -
[TimeStamp] 0x3A7FE821 -> Tue 06th Feb 2001 12:03:45 (GMT) | Export | - |
Offset: 0x0015A004 | VA: 0x1015A004 | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100)
[Entrypoint Section Entropy] : 6.69 (section #0) ".text " | Size : 0x14AA62
(1354338) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 6 (0x6) | ImageSize 0x508000 (5275648) byte(s)
[Export] 80% of function(s) (4 of 5) are in file | 0 are forwarded | 4 code | 1
data | 0 uninit data | 0 unknown |
[VersionInfo] Company Name : New Media Generation
[VersionInfo] Product Name : New Media Generation ShineEng
[VersionInfo] Product Version : 1. 0. 0. 1
[VersionInfo] File Description : ShineEng
[VersionInfo] File Version : 1. 0. 0. 1
[VersionInfo] Original FileName : ShineEng.dll
[VersionInfo] Internal Name : ShineEng
[VersionInfo] Legal Copyrights : Copyright © 1998
[ModuleReport] [IAT] Modules -> WINMM.dll | COMCTL32.dll | Shine.exe | zlib.dll
| KERNEL32.dll | USER32.dll | GDI32.dll | ADVAPI32.dll | ole32.dll |
AVIFIL32.dll | MSVFW32.dll | MSVCRT.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.598 Second(s) [000000256h (598) tick(s)] [246 of 580 scan(s)
done]
--- snip ---
$ wine --version
wine-3.6-105-g448344c5e4
Regards
*** This bug has been marked as a duplicate of bug 25362 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list