[Bug 14726] AW broser crashes, starts fine with native wininet

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Aug 2 05:29:40 CDT 2008 

http://bugs.winehq.org/show_bug.cgi?id=14726


Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net




--- Comment #2 from Anastasius Focht <focht at gmx.net>  2008-08-02 05:29:39 ---
Hello,

when the app queries proxy info using InternetQueryOptionA(
..INTERNET_OPTION_PROXY ..), wine initializes the out buffer incorrectly,
letting app believe there is proxy info which results in crash when accessing
the buffer.

Consider the following:

--- snip dlls/wininet/internet.c ---
DWORD INET_QueryOption(DWORD option, void *buffer, DWORD *size, BOOL unicode)
{ 
..
 case INTERNET_OPTION_PROXY: {
        WININETAPPINFOW ai;

        TRACE("Getting global proxy info\n");
        memset(&ai, 0, sizeof(WININETAPPINFOW));
        INTERNET_ConfigureProxy(&ai);

        return APPINFO_QueryOption(&ai.hdr, INTERNET_OPTION_PROXY, buffer,
size, unicode); /* FIXME */
    } 
..
}
--- snip dlls/wininet/internet.c ---

WININETAPPINFOW is zero initialized.
If INTERNET_ConfigureProxy() doesn't find any suitable info, the buffer is left
untouched.

Now the filling of return/out buffer data:

--- snip dlls/wininet/internet.c ---
static DWORD APPINFO_QueryOption(WININETHANDLEHEADER *hdr, DWORD option, void
*buffer, DWORD *size, BOOL unicode)
{
 ..
 ..
 case INTERNET_OPTION_PROXY: 
 ..
      INTERNET_PROXY_INFOA *pi = (INTERNET_PROXY_INFOA *)buffer; 
 ..
      pi->dwAccessType = ai->dwAccessType;
      pi->lpszProxy = NULL;
      pi->lpszProxyBypass = NULL; 
 ..
}
--- snip dlls/wininet/internet.c ---

Due to default initialization, pi->dwAccessType == 0 (which is actually
INTERNET_OPEN_TYPE_PRECONFIG = invalid anyway because it's only used for
setting info).

After InternetQueryOptionA() returns, the app checks pi->dwAccessType ==
INTERNET_OPEN_TYPE_DIRECT and if different, it tries to read the proxy info.
When accessing pi->lpszProxy it obviously crashes (sloppy app devs, not
checking for pi->lpszProxy == NULL).

Wine should initialize pi->dwAccessType with INTERNET_OPEN_TYPE_DIRECT if proxy
settings can't be determined, e.g. when ai->dwAccessType == 0 (one-liner
ternary)
Be sure to cover both, ansi and unicode path.

As side note ... the app is protected with PC Guard 5.x making analysis ~5
minutes longer ;-)

Regards


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list