Buffer overrun issue

Ziggy · Post by **Ziggy** » Sat Jan 29, 2005 2:36 am

Trying to isolate this problem myself, but having issues with it. It's not an exception break, so can't follow the rules for posting sadly.

It only crashes while mq2map plugin is loaded (I can hear the groans already). And will crash when you do a UI switch (changing your UI).

I know it's while a particular plugin is loaded, but am getting no other issues at all. And due to the nature of the problem, and that it doesn't crash IN mq2map, I'm reporting anyway.

Went thru removing a whole bunch of other plugins, and mq2map was the only one that I found made a difference. I do know that memory errors can be tricky to find and not necessarily where they 'appear' to be.

Seems to break here in MQ2CleanUI.cpp:

Code: Select all

015739B0   mov         eax,dword ptr [esp+4]
015739B4   push        eax
[color=red]015739B5   call        DrawHUDText+0D0h (015738f0)[/color]
015739BA   mov         ecx,dword ptr [pArrayType+65B0h (015fbcd8)]
015739C0   push        ecx
015739C1   call        EnterMQ2Benchmark (01572420)
015739C6   call        PluginsReloadUI (015aca40)
015739CB   mov         edx,dword ptr [pArrayType+65B0h (015fbcd8)]
015739D1   push        edx
015739D2   call        ExitMQ2Benchmark (01572450)
015739D7   add         esp,8
015739DA   ret         4


class CDisplayHook 
{ 
public: 
	VOID CleanUI_Trampoline(VOID); 
	VOID CleanUI_Detour(VOID) 
	{ 
		Benchmark(bmPluginsCleanUI,DebugTry(PluginsCleanUI()));
		DebugTry(CleanUI_Trampoline());
	} 

	VOID ReloadUI_Trampoline(BOOL);
	VOID ReloadUI_Detour(BOOL UseINI)
	{
		[color=red]DebugTry(ReloadUI_Trampoline(UseINI));[/color]
		Benchmark(bmPluginsReloadUI,DebugTry(PluginsReloadUI()));
	}

And if it helps, this is the bit that's failing check:

Code: Select all

.text:005B7964 sub_5B7964      proc near               ; CODE XREF: sub_40118A+1EFp
.text:005B7964                                         ; CAAWnd__CAAWnd+3DBp ...
.text:005B7964
.text:005B7964 ; FUNCTION CHUNK AT .text:005B7933 SIZE 0000001D BYTES
.text:005B7964 ; FUNCTION CHUNK AT .text:005B7957 SIZE 0000000D BYTES
.text:005B7964
.text:005B7964                 cmp     ecx, dword_7251DC
[color=red].text:005B796A                 jnz     short loc_5B796D[/color]
.text:005B796C                 retn
.text:005B796D ; ---------------------------------------------------------------------------
.text:005B796D
.text:005B796D loc_5B796D:                             ; CODE XREF: sub_5B7964+6j
.text:005B796D                 jmp     _report_failure ; Fails here
.text:005B796D sub_5B7964      endp

Does this and jumps right to __reportfailure and gives memory buffer overrun error.

My lack of debugging skills at this point get me lost.

So if someone else wants to lend a more informed eye at the problem, that'd be cool. If you want to complain about my post instead. That's cool too. Really don't care :)

edit: fixed highlight line in c code. oop

dont_know_at_all · Post by **dont_know_at_all** » Sat Jan 29, 2005 4:41 am

Add this line to the beginning of mq2main.h:
#define DEBUG_TRY

Recompile everything.

Get dbgview from sysinterals.com and start it first. Attaching a debugger works as well.

Start mq and eq as normal and crash it.

Post the output from dbgview here.

The offset for CDisplay__ReloadUI looks correct. Mq2map doesn't have an OnReloadUI function -- only mq2irc does. I will try to start mapping the CMapViewWnd class tomorrow.

Does it matter if the map is open or not?

Choakster · Post by **Choakster** » Sat Jan 29, 2005 7:55 am

The buffer over run error is definately coming from MQ2map..
I did some testing ..

I completely unloaded MQ2Map changed skins .. No Overrun

Pulled the map up with MQ2Map unloaded and changed skins..
No Overrun

Loaded MQ2Map changed skins with map window closed .. Crashed With buffer overrun

Loaded MQ2Map changed skins with map window open .. Crashed With buffer overrun

So no it doesnt matter if the map window is open or closed ..

pinkfloydx33 · Post by **pinkfloydx33** » Sat Jan 29, 2005 10:58 am

Code: Select all

[3752] CCommandHook::Detour(/loadskin delta 1)
[3752] 
[3752] [MQ2]
[3752] Trying ReloadUI_Trampoline(UseINI)
[3752] 
[3752] [MQ2]
[3752] Removing WndNotification target 'FacePickWindow'
[3752] 
[3752] [MQ2]
[3752] Removing WndNotification target 'SystemInfoDialogBox'
[3752] 
[3752] [MQ2]
[3752] Trying PluginsCleanUI()
[3752] 
[3752] [MQ2]
[3752] mq2chatwnd->CleanUI()
[3752] 
[3752] [MQ2]
[3752] MQ2ChatWnd::OnCleanUI()
[3752] 
[3752] [MQ2]
[3752] Removing WndNotification target 'ChatWindow'
[3752] 
[3752] [MQ2]
[3752] PluginsCleanUI() complete
[3752] 
[3752] [MQ2]
[3752] Trying CleanUI_Trampoline()
[3752] 
[3752] [MQ2]
[3752] CleanUI_Trampoline() complete
[3752] 
[3752] [MQ2]
[3752] XMLRead(EQUI.xml)
[3752] 
[3752] [MQ2]
[3752] GenerateMQUI::Not Generating MQUI.xml, no files in our list
[3752] 
[3752] [MQ2]
[3752] Adding WndNotification target 'CursorAttachment'
[3752] 
[3752] [MQ2]
[3752] Adding WndNotification target 'OpenTicketsPage'
[3752] 
[3752] [MQ2]
[3752] Adding WndNotification target 'TicketCommentWindow'
[3752] 
[color=red][1216] Check exception: .\ApplicationUtils.cpp (147), DPG::GetExeNameFromHWND, addr = 0x10016973, last error = 5
[1216] Check exception: .\ApplicationUtils.cpp (147), DPG::GetExeNameFromHWND, addr = 0x10016973, last error = 5[/color]
[3752] [MQ2]
[3752] MQ2EQBugFix Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2ChatWnd Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2Bzsrch Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2Map Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2HUD Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2CustomBinds Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2ItemDisplay Module Unloaded
[3752] 
[3752] [MQ2]
[3752] MQ2Labels Module Unloaded
[3752]

There are a lot of lines between Removing WndNotification target 'SystemInfoDialogBox' and the next line... all just removing each window in the UI. Same with [3752] GenerateMQUI::Not Generating MQUI.xml, no files in our list[3752] and the line affter it... just repopulating the UI windows. Edit it out all the windows in the middle to preserve space heh.

Code: Select all

[MQ2]Adding WndNotification target 'TicketCommentWindow'
[MQ2]MQ2EQBugFix Module Unloaded
[MQ2]MQ2ChatWnd Module Unloaded
[MQ2]MQ2Bzsrch Module Unloaded
[MQ2]MQ2Map Module Unloaded
[MQ2]MQ2HUD Module Unloaded
[MQ2]MQ2CustomBinds Module Unloaded
[MQ2]MQ2ItemDisplay Module Unloaded
[MQ2]MQ2Labels Module Unloaded
eax=77c3b8c1 ebx=00000000 ecx=00d823a8 edx=77c61ae8 esi=7c90e88e edi=00000003
eip=7c90eb94 esp=0012d660 ebp=0012d75c iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3               ret
0:000> r
eax=77c3b8c1 ebx=00000000 ecx=00d823a8 edx=77c61ae8 esi=7c90e88e edi=00000003
eip=7c90eb94 esp=0012d660 ebp=0012d75c iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3               ret
0:000> kv
ChildEBP RetAddr  Args to Child              
0012d65c 7c90e89a 7c81ca5e ffffffff 00000003 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012d660 7c81ca5e ffffffff 00000003 00000000 ntdll!ZwTerminateProcess+0xc (FPO: [2,0,0])
0012d75c 7c81cab6 00000003 77e8f3b0 ffffffff kernel32!_ExitProcess+0x62 (FPO: [Non-Fpo])
*** WARNING: Unable to verify checksum for C:\Program Files\Sony\EverQuest Trilogy\eqgame.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Sony\EverQuest Trilogy\eqgame.exe
0012d770 005ba834 00000003 005ba973 00000003 kernel32!ExitProcess+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d7a8 005ba9aa 00000003 00000001 00000000 eqgame+0x1ba834
0012d9f0 005b794c 00000001 00000000 00867880 eqgame+0x1ba9aa
0012da24 00441160 00000035 00000000 00000000 eqgame+0x1b794c
*** WARNING: Unable to verify checksum for C:\MQ2-20050128\Release\MQ2Main.dll
0012dc30 011d3c51 00000001 0331e530 00490d77 eqgame+0x41160
0012dc3c 00490d77 00000001 00000000 0331e530 MQ2Main!CDisplayHook::ReloadUI_Detour+0x21 (FPO: [1,0,1]) (CONV: thiscall) [ C:\MQ2-20050128\MQ2Main\MQ2CleanUI.cpp @ 36]
*** WARNING: Unable to verify checksum for C:\Program Files\Sony\EverQuest Trilogy\EQGraphicsDX9.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Sony\EverQuest Trilogy\EQGraphicsDX9.DLL - 
0012dcd4 016c67a3 016c67ce 0012df70 c460ae58 eqgame+0x90d77
c45f5531 00000000 00000000 00000000 00000000 EQGraphicsDX9+0x167a3

That is after doing a /loadskin. Doesn't matter if using a custom or default UI. Does not matter if map window is open

What I did notice was when loading eq w/ MQ you get

Code: Select all

[1848] [MQ2]
[1848] Initializing MQ2EQBugFix
[1848] 
[color=red][1216] Check exception: .\ApplicationUtils.cpp (147), DPG::GetExeNameFromHWND, addr = 0x10016973, last error = 5
[1216] Check exception: .\ApplicationUtils.cpp (147), DPG::GetExeNameFromHWND, addr = 0x10016973, last error = 5[/color]

Ziggy · Post by **Ziggy** » Sat Jan 29, 2005 12:41 pm

Choakster wrote:So no it doesnt matter if the map window is open or closed ..

That's what I've found. Just seems to be the action of deleting/re-creating that throws it.

The error handler is called directly, and really looks like the message given is nothing to do with buffer overrun/underrun, but rather just some handy error handler to call.

Looking more into it when I can.

dont_know_at_all · Post by **dont_know_at_all** » Sat Jan 29, 2005 4:08 pm

Fixed in latest zip.

Ziggy · Post by **Ziggy** » Sat Jan 29, 2005 7:53 pm

My hero!