[Bug 29358] New: Vit Registry Fix 9.5 crashes when clicking "close" button in "about" dialog

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Dec 16 11:35:18 CST 2011 

http://bugs.winehq.org/show_bug.cgi?id=29358

             Bug #: 29358
           Summary: Vit Registry Fix 9.5 crashes when clicking "close"
                    button in "about" dialog
           Product: Wine
           Version: 1.3.34
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello,

this is a bug split off from bug 7816

http://bugs.winehq.org/show_bug.cgi?id=7816#c16

--- quote ---
It's also issue with
http://www.vitsoft.org.ua/Download/Vit%20Registry%20Fix%20Free%20Edition%20Setup.exe
and Wine 1.3.19.

Steps to reproduce:
1) start application
2) click "about"
3) close "about" window
--- quote ---

Both bugs have nothing in common - except the crashing apps are VB6 apps.

The crash:

--- snip ---
0023:Ret  window proc 0x6605f626
(hwnd=0x3036e,msg=WM_LBUTTONUP,wp=00000000,lp=00020029) retval=00000000
0023:Ret  user32.CallWindowProcA() retval=00000000 ret=016570cd
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x1657117 ip=01657117
tid=0023
0023:trace:seh:raise_exception  info[0]=00000001
0023:trace:seh:raise_exception  info[1]=00000001
0023:trace:seh:raise_exception  eax=00000000 ebx=6846a690 ecx=00000000
edx=00000000 esi=00000023 edi=01680458
0023:trace:seh:raise_exception  ebp=0032f808 esp=0032f7f4 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
...
Backtrace:
=>0 0x01657117 (0x0032f808)
  1 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032f838)
  2 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0, lp=0x20029,
result=0x32f8b8, arg=0x1657050)
[/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32
(0x0032f888)
  3 0x68431876 CallWindowProcA+0x63(func=0x1657050, hwnd=0x3036e, msg=0x202,
wParam=0, lParam=0x20029)
[/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:954] in user32
(0x0032f8c8)
  4 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032f8f8)
  5 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x50019, stack=0x32f95c)
[/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll
(0x0032f948)
  6 0x68387ee9 in user32 (+0x7ee8) (0x0032f9a8)
  7 0x2b28bdee DefSubclassProc+0x16c(hWnd=0x3036e, uMsg=0x202, wParam=0,
lParam=0x20029)
[/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1267] in comctl32
(0x0032f9a8)
  8 0x2b310fac TOOLTIPS_SubclassProc+0x9b(hwnd=0x3036e, uMsg=0x202, wParam=0,
lParam=0x20029, uID=0x1, dwRef=0x60372)
[/home/focht/projects/wine/wine-git/dlls/comctl32/tooltips.c:2145] in comctl32
(0x0032f9e8)
  9 0x2b28be44 DefSubclassProc+0x1c2(hWnd=0x3036e, uMsg=0x202, wParam=0,
lParam=0x20029)
[/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1272] in comctl32
(0x0032fa38)
  10 0x2b28bb7b COMCTL32_SubclassProc+0x134(hWnd=0x3036e, uMsg=0x202, wParam=0,
lParam=0x20029)
[/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1214] in comctl32
(0x0032fa98)
  11 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032fac8)
  12 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0,
lp=0x20029, result=0x32fc48, arg=0x2b28ba46)
[/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32
(0x0032fb18)
  13 0x684317b3 WINPROC_call_window+0x211(hwnd=0x3036e, msg=0x202, wParam=0,
lParam=0x20029, result=0x32fc48, unicode=0, mapping=WMCHAR_MAP_DISPATCHMESSAGE)
[/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:908] in user32
(0x0032fb68)
  14 0x683f434c DispatchMessageA+0x17d(msg=0x32fd10)
[/home/focht/projects/wine/wine-git/dlls/user32/message.c:3742] in user32
(0x0032fc78)
  15 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032fc98)
  16 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x1009e, stack=0x32fcfc)
[/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll
(0x0032fce8)
  17 0x68388b01 in user32 (+0x8b00) (0x0032fd38)
  18 0x6600a4a3 in msvbvm60 (+0xa4a2) (0x0032fd38)  
--- snip ---

The VB6 app subclasses controls, installing its own window proc thunks...

Convert hex opcodes to binary:

--- snip ---
0023:Call oleaut32.VarBstrCat(0014f254
L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209",0049b38c
L"C978078B450CF2AF75278D4514508D4510508D450C508D4508508D45FC508D45F85052B800000000508B00FF90A4070000C3",0032f4e4)
ret=660e5f4d
...
0023:Call oleaut32.VarParseNumFromStr(0014e674
L"&H55",00000409,80000000,0032f4a0,0032f480) ret=660d31fd
...
0023:Call oleaut32.VarParseNumFromStr(01698094
L"&HC3",00000409,80000000,0032e75c,0032e73c) ret=660d31fd
0023:Ret  oleaut32.VarParseNumFromStr() retval=00000000 ret=660d31fd 
...
--- snip --- 

Alloc heap memory for window proc thunk:

01657050-0x1657118

--- snip ---
...
0023:Call KERNEL32.GlobalAlloc(00000000,000000c8) ret=0081bf65
0023:Ret  KERNEL32.GlobalAlloc() retval=01657050 ret=0081bf65
...
--- snip ---

Set window proc:

--- snip ---
0023:Call user32.SetWindowLongA(0003036e,fffffffc,01657050) ret=0081bf84 
0023:trace:win:WIN_SetWindowLong 0x3036e -4 1657050 A
0023:trace:win:alloc_winproc allocated 0xffff006c for A 0x1657050 (109/4096
used)
0023:Ret  user32.SetWindowLongA() retval=6605f626 ret=0081bf84 
...
--- snip --- 

Filling thunk with code:

--- snip ---
0023:Call ntdll.RtlMoveMemory(01657050,01665ba0,000000c8) ret=0081bfa7
0023:Ret  ntdll.RtlMoveMemory() retval=01657050 ret=0081bfa7 
...
--- snip --- 

Patch all intermodular calls

--- snip ---
0023:Call ntdll.RtlMoveMemory(01657062,0032e770,00000004) ret=0081c825
0023:Ret  ntdll.RtlMoveMemory() retval=01657062 ret=0081c825 
...
0023:Call ntdll.RtlMoveMemory(01657094,0032e7a4,00000004) ret=0081c89d
0023:Ret  ntdll.RtlMoveMemory() retval=01657094 ret=0081c89d 
...
0023:Call ntdll.RtlMoveMemory(0165709e,0032e770,00000004) ret=0081c825
0023:Ret  ntdll.RtlMoveMemory() retval=0165709e ret=0081c825 
...
0023:Call ntdll.RtlMoveMemory(016570c4,0032e7a4,00000004) ret=0081c89d
0023:Ret  ntdll.RtlMoveMemory() retval=016570c4 ret=0081c89d 
...
0023:Call ntdll.RtlMoveMemory(016570c9,0032e770,00000004) ret=0081c825
0023:Ret  ntdll.RtlMoveMemory() retval=016570c9 ret=0081c825 
...
0023:Call ntdll.RtlMoveMemory(0165710a,0032e7a4,00000004) ret=0081c89d
0023:Ret  ntdll.RtlMoveMemory() retval=0165710a ret=0081c89d
...
0023:Call oleaut32.SysFreeString(016572bc
L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209C"...)
ret=660e60c0 
...
--- snip --- 

Subclassing once more (old = 01657050, new = 2b28ba46)...

--- snip ---
0023:Call user32.SetWindowLongA(0003036e,fffffffc,2b28ba46) ret=2b28b5d9
0023:trace:win:WIN_SetWindowLong 0x3036e -4 2b28ba46 A
0023:trace:win:alloc_winproc reusing 0xffff0069 for 0x2b28ba46
0023:Ret  user32.SetWindowLongA() retval=01657050 ret=2b28b5d9
...
0023:Call user32.CallWindowProcA(01657050,0003036e,00000055,00060372,00000003)
ret=2b28bdee
0023:Call window proc 0x1657050
(hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003)
0023:Call user32.CallWindowProcA(6605f626,0003036e,00000055,00060372,00000003)
ret=016570cd
0023:Call window proc 0x6605f626
(hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003) 
...
0023:Call user32.CallWindowProcA(01657050,0003036e,00000046,00000000,0032ebc8)
ret=2b28bdee
0023:Call window proc 0x1657050
(hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8)
0023:Call user32.CallWindowProcA(6605f626,0003036e,00000046,00000000,0032ebc8)
ret=016570cd
0023:Call window proc 0x6605f626
(hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8) 
--- snip ---

Destruction of windows/controls and restoration of old window proc:
NOTE: the subclassed window proc thunk memory is released here!

--- snip ---
...
0023:Call user32.SetWindowLongA(0003036e,fffffffc,6605f626) ret=0081c270
0023:trace:win:WIN_SetWindowLong 0x3036e -4 6605f626 A
0023:trace:win:alloc_winproc reusing 0xffff0028 for 0x6605f626
0023:Ret  user32.SetWindowLongA() retval=2b28ba46 ret=0081c270 
...
0023:Call ntdll.RtlMoveMemory(016570ad,0032f0d8,00000004) ret=0081c89d
0023:Ret  ntdll.RtlMoveMemory() retval=016570ad ret=0081c89d 
...
0023:Call ntdll.RtlMoveMemory(016570d9,0032f0d8,00000004) ret=0081c89d
0023:Ret  ntdll.RtlMoveMemory() retval=016570d9 ret=0081c89d
...
0023:Call KERNEL32.GlobalFree(01657050) ret=0081c2a6
0023:Ret  KERNEL32.GlobalFree() retval=00000000 ret=0081c2a6 
...
0023:Ret  window proc 0x6605f626
(hwnd=0x3036e,msg=WM_DESTROY,wp=00000000,lp=00000000) retval=00000000
0023:trace:win:WIN_DestroyWindow 0x3036e
0023:trace:msg:WINPROC_CallProcWtoA
(hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000)
0023:Call window proc 0x6605f626
(hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) 
...
0023:Call user32.DefWindowProcA(0003036e,00000082,00000000,00000000)
ret=6605d591
0023:Ret  user32.DefWindowProcA() retval=00000000 ret=6605d591
0023:Ret  window proc 0x6605f626
(hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) retval=00000000
0023:trace:win:dc_hook hDC = 0xc534, 1
0023:Ret  user32.DestroyWindow() retval=00000001 ret=6605b4f6 
--- snip --- 

How the thunk looks like (virtual addresses from another run = don't match with
other trace snippets):

--- snip ---
0165A040    55              PUSH EBP
0165A041    89E5            MOV EBP,ESP
0165A043    83C4 F8         ADD ESP,-8
0165A046    57              PUSH EDI 
...
0165A0FF    8B00            MOV EAX,DWORD PTR DS:[EAX]
0165A101    FF90 A4070000   CALL DWORD PTR DS:[EAX+7A4]
0165A107    C3              RETN 
--- snip ---

Memory dump while the thunk was intact (virtual addresses from another run =
don't match with other trace snippets):

--- snip ---
0165F780   000000C8  <len>
0165F784   00455355  USE <magic>
0165F788   83E58955  <window proc start>
0165F78C   3157F8C4
...
0165F844   8B500000
0165F848   A490FF00
0165F84C   C3000007  <window proc start end = ret opcode>
0165F850   00000071  <len>
0165F854   45455246  FREE <magic>
0165F858   001100E8
0165F85C   001100D8
0165F860   00000000
--- snip ---

When the window proc memory chunk was marked free, the "c3" opcode = "ret" is
overwritten which leads to the crash after returning from call "CALL DWORD PTR
DS:[EAX+7A4]" (0165A101).

A window/control hierarchy destruction sequence happens while in nested message
handling for WM_LBUTTONUP ("about" dialog, tooltip).

Either the nested message handling (COMCTL32_SubclassProc) has a bug or this
might be an application bug which is hidden in Windows due to different heap
management (ret opcode not immediately overwritten upon heap free operation,
allowing the window proc to return to its caller).

$ sha1sum "Vit Registry Fix Free Edition Setup.exe"
0319916dff8a57ab11a1796f3fff817379936fae  Vit Registry Fix Free Edition
Setup.exe

$ wine --version
wine-1.3.34-353-g6fe14a0

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list