[Bug 50075] New: GetFileVersionInfoSizeW can read from unallocated memory
WineHQ Bugzilla
wine-bugs at winehq.org
Thu Oct 29 04:07:55 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=50075
Bug ID: 50075
Summary: GetFileVersionInfoSizeW can read from unallocated
memory
Product: Wine
Version: 5.20
Hardware: x86-64
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: version
Assignee: wine-bugs at winehq.org
Reporter: ahiler at codeweavers.com
Distribution: ---
Original bug: https://github.com/ValveSoftware/Proton/issues/4308
Crown Trick (game) comes with Assembly-CSharp.dll (generated by Unity engine)
that is most likely just encrypted[0] or straight up corrupted. The game calls
GetFileVersionInfoSizeW() on that .dll during which it crashes.
Wine's GetFileVersionInfoSizeW() checks the PE header for RVA and size of
Resource Table.
Then HeapAllocs(size) happens and data is read into it the allocated memory.
After that, when looking for the version entry, find_entry_by_id() naively
trusts NumberOfNamedEntries and NumberOfIdEntries residing in the resource
table, which in the encrypted/corrupted form add up to 20k+ entries. This
results in an attempt to dereference something way past the size of Resource
Table (0x400) and causes a page fault.
I have a tentative patch (will send it soon, after a bit more testing) that
makes sure we are not trying to read entries past the allocated area. With this
the game starts and works just fine.
[0]: https://github.com/yangyuan/hearthrock/issues/13
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list