[Bug 51831] New: TrueDrive: On start shows an alert that the steering wheel is turned around too close to the bump stops, while the wheel is actually aligned on top center

WineHQ Bugzilla wine-bugs at winehq.org
Sat Oct 2 08:39:20 CDT 2021 

https://bugs.winehq.org/show_bug.cgi?id=51831

            Bug ID: 51831
           Summary: TrueDrive: On start shows an alert that the steering
                    wheel is turned around too close to the bump stops,
                    while the wheel is actually aligned on top center
           Product: Wine
           Version: 6.18
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: minor
          Priority: P2
         Component: hid
          Assignee: wine-bugs at winehq.org
          Reporter: logos128 at gmail.com
                CC: rbernon at codeweavers.com
   Regression SHA1: 8b434bdc7fe98e3bd97e180f31bc18d87161c05a
      Distribution: ArchLinux

Created attachment 70718
  --> https://bugs.winehq.org/attachment.cgi?id=70718
0001-winebus.sys-Fix-possible-memory-access-error-in-bus_.patch

In addition to the summary, the in app steering wheel animation is indeed
turned around usually on left, and the high torque mode of the Simucube 2 FFB
wheel is also being disabled, as the alert warns. After closing the alert, the
steering wheel animation resumes proper tracking of the real wheel.

After some regression testing found out that in bus_event_queue_pop()
(winebus.sys/unixlib.c) the size for the memcpy operation is calculated on base
of the event->input_report.length, and when the event operand is passed for
first time to this function, its input_report.length is uninitialized. The
bus_event structure is being allocated once per bus thread.
This could lead to either insufficient bytes being copied to the event struct,
or memory access error for an out of bounds copy operation of the tmp struct.
The consecutive calls of this function use the event->input_report.length
again, which in this case is just the length of the input buffer from the
previous operation.

If the device uses multiple input reports with different ReportIDs and
different lengths, this could lead to serious issues.

Attached a patch which fixes the issue (based on the current master)

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list