[Bug 35127] Gamehall (Chinese game client) crashes in comctl32

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Jan 18 09:28:44 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=35127

--- Comment #15 from Zhiyi Zhang <yi.gd.cn at gmail.com> ---
This is due to the application try to write to internal structure.

$ winedbg
winedbg>break TREEVIEW_SendCustomDrawItemNotify
winedbg>c
winedbg>watch * (value of item + 0x18)
winedbg>c
watchpoint should now be triggered

Using 'info reg',you should see that ESI points to item,and the instruction
tried to write to $item+0x1a.

Wine-dbg>disas 0x004f1040,0x004f1080
disas 0x004f1040,0x004f1080
0x004f1040: jl    0x004f1066
0x004f1042: orb    %dl,0xffffff8b(%edi)
0x004f1045: pushl    %ecx
0x004f1046: clc    
0x004f1047: pushl    %edx
0x004f1048: movl    0x8(%eax),%edx
0x004f104b: pushl    %ecx
0x004f104c: pushl    %edx
0x004f104d: call    *0x6b3234 -> 0x7eaed64c GetTextExtentPoint32A
[/home/eric/source/wine/wine/dlls/gdi32/font.c:1140] in gdi32
0x004f1053: movl    0x8(%esp),%eax      <- 0x8(%esp) is 0x0000004e
0x004f1057: leal    0x24(%esp),%ecx
0x004f105b: addl    $4,%eax             <- +4, then %eax is the written value
0x004f105e: movl    $0xffffffff,0x18(%esp)
0x004f1066: movw    %ax,0x1a(%esi)       <- corrupts item->pszText,accordding
to calling GetTextExtentPoint32A,the application is trying to write to
item->textWidth directly. You can also verify this by print out value of
textWidth and written value. They should be off by 4.
0x004f106a: andl    $0xffff,%eax
0x004f106f: movl    %eax,%esi
0x004f1071: call    0x00687e76
0x004f1076: movl    0x10(%esp),%ecx
0x004f107a: movl    %esi,%eax
0x004f107c: popl    %edi
0x004f107d: popl    %esi
0x004f107e: movl    %ecx,%fs:0x00000000

Wine-dbg>x 0x0033e268   0x8(%esp)
x 0x0033e268
 0000004e 

However in comctl32/treeview.c#L139 struct _TREEITEM. In struct _TREEITEM,
$item+0x1a points to none of the members, because they are all 4 bytes aligned.
By writing to $item+0x1a, item->pszText gets corrupted. 

By adding a 2 bytes padding before item->pszText to workground this. The
application runs.

Since the application expect textWidth to be at $item+0x1a and textWidth to be
2 bytes long, try move the position of textWidth also works. However, textWidth
now is 4 bytes.Moving textWidth also make it corrupted. But it seems that the
application still runs.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list