search

xezon / GenToolBugs

0 stars 0 forks source link

Memory corruption on connecting to Online Lobby #4

Open xezon opened 3 years ago

xezon commented 3 years ago

Application Verifier is enabled with "Basics" enabled. Memory corruption on connecting to Online Lobby.

ZH CD version game.dat

=======================================
VERIFIER STOP 00000010: pid 0x1BA8: Corrupted start stamp for heap block. 

    05771000 : Heap handle used in the call.
    4EB3EEB0 : Heap block involved in the operation.
    445CBFD8 : Size of the heap block.
    00000000 : Corrupted stamp value.

=======================================
This verifier stop is not continuable. Process will be terminated 
when you use the `go' debugger command.

=======================================
>    vrfcore.dll!_VerifierStopMessageEx()  + 0x5b8 bytes    
     vrfcore.dll!VfCoreRedirectedStopMessage()  + 0x80 bytes    
     verifier.dll!_VerifierStopMessage@40()  + 0x84 bytes    
     verifier.dll!_AVrfpDphReportCorruptedBlock@16()  + 0x2fc bytes    
     verifier.dll!_AVrfpDphCheckNormalHeapBlock@16()  + 0x11a bytes    
     verifier.dll!_AvrfpDphCheckPageHeapAllocation@8()  + 0x6b bytes    
     verifier.dll!_VerifierCheckPageHeapAllocation@8()  + 0x12 bytes    
     vfbasics.dll!_AVrfpRtlFreeHeap@12()  + 0x5b bytes    
     snmpapi.dll!_SnmpUtilOidFree@4()  + 0x24 bytes    
     snmpapi.dll!_SnmpUtilVarBindFree@4()  + 0x13 bytes    
     snmpapi.dll!_QueryToVarBindList@20()  + 0xb0 bytes    
     snmpapi.dll!_QueryListToVarBindList@20()  + 0x40 bytes    
     snmpapi.dll!_SnmpTfxQuery@20()  + 0x88 bytes    
     inetmib1.dll!_SnmpExtensionQuery@16()  + 0x1d bytes    
     game.dat!006ff8c5()              <-------- problem in game
BOOL SNMP_FUNC_TYPE SnmpExtensionQuery(
  BYTE            bPduType,
  SnmpVarBindList *pVarBindList,
  AsnInteger32    *pErrorStatus,
  AsnInteger32    *pErrorIndex
);

typedef struct {
  AsnObjectName   name;
  AsnObjectSyntax value;
} SnmpVarBind;

typedef struct {
  SnmpVarBind *list;
  UINT        len;
} SnmpVarBindList;

It tries to free an unallocated SnmpVarBind from the list. Probably the pVarBindList argument is garbage.

garbage

The AsnAny structure passed in the SnmpVarBind* structure is invalid. The variable type contained in asnType is invalid. The structure looks like as if it was memset'd to zero. The SnmpExtensionQuery function is used to process requests sent from the server.