WoW crashes in 'wine_cp_mbstowcs' under certain circumstances.

Jesse Allen the3dfxdude at gmail.com
Mon Apr 17 13:45:06 CDT 2006


On 4/17/06, Jesse Allen <the3dfxdude at gmail.com> wrote:
> On 4/17/06, Tomas Carnecky <tom at dbservice.com> wrote:
> > Jesse Allen wrote:
> > > On 4/17/06, Tomas Carnecky <tom at dbservice.com> wrote:
> > >> Wine doesn't crash in this function, sorry, it's a bug in pf_vsnprintf()
> > >> which causes snprintf() to write beyond the end of the buffer.
> > >>
> > >> I've attached a patch that fixes it for me, but it's probably better not
> > >> to create such large buffers on the stack.
> > >> Anyone with a better fix?
> > >>


OK, I can kind of see a problem. If we converted this number on our
own, we would set the field size to the number of printable characters
before the final ouptut. But since we can't even look at the size at
all, we rely on 40 because nothing is hardcoded into the format
string. We will obviously overflow when we have more significant
digits than 40 and no field size specified.

But I also found something wrong with your test. Libc seems to
remember far more digits and msvcrt rounds. So we also have a
portability issue I think. The real solution is doing our own float
conversions, but we can avoid the crash in the meantime by just making
number larger; the output will still not be correct.

Jesse



More information about the wine-devel mailing list