WoW crashes in 'wine_cp_mbstowcs' under certain circumstances.

Jesse Allen the3dfxdude at
Mon Apr 17 13:45:06 CDT 2006

On 4/17/06, Jesse Allen <the3dfxdude at> wrote:
> On 4/17/06, Tomas Carnecky <tom at> wrote:
> > Jesse Allen wrote:
> > > On 4/17/06, Tomas Carnecky <tom at> wrote:
> > >> Wine doesn't crash in this function, sorry, it's a bug in pf_vsnprintf()
> > >> which causes snprintf() to write beyond the end of the buffer.
> > >>
> > >> I've attached a patch that fixes it for me, but it's probably better not
> > >> to create such large buffers on the stack.
> > >> Anyone with a better fix?
> > >>

OK, I can kind of see a problem. If we converted this number on our
own, we would set the field size to the number of printable characters
before the final ouptut. But since we can't even look at the size at
all, we rely on 40 because nothing is hardcoded into the format
string. We will obviously overflow when we have more significant
digits than 40 and no field size specified.

But I also found something wrong with your test. Libc seems to
remember far more digits and msvcrt rounds. So we also have a
portability issue I think. The real solution is doing our own float
conversions, but we can avoid the crash in the meantime by just making
number larger; the output will still not be correct.


More information about the wine-devel mailing list