[Bug 25249] Leonardo.exe from ENVI-met (microclimate model simulation software) crashes due to strict comctl32.151 (CreateMRUListLazyA) input parameter validation
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Dec 16 17:11:26 CST 2011
http://bugs.winehq.org/show_bug.cgi?id=25249
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Keywords| |download
URL| |http://www.envi-met.com/dow
| |nload30.htm
Component|-unknown |comctl32
CC| |focht at gmx.net
Ever Confirmed|0 |1
Summary|Leonardo.exe crashes: |Leonardo.exe from ENVI-met
|Process |(microclimate model
|/usr/bin/wine-preloader was |simulation software)
|killed by signal 11 |crashes due to strict
|(SIGSEGV) |comctl32.151
| |(CreateMRUListLazyA) input
| |parameter validation
--- Comment #2 from Anastasius Focht <focht at gmx.net> 2011-12-16 17:11:26 CST ---
Hello,
confirming.
Looks like comctl32.151 -> CreateMRUListLazyA (MRU list) is the culprit here.
--- snip ---
...
0023:Call KERNEL32.CompareStringA(00000800,00000001,1a7bf178
"TJvMruList",0000000a,1a7bee18 "TJvMruList",0000000a) ret=00404c23
0023:Ret KERNEL32.CompareStringA() retval=00000002 ret=00404c23
0023:Call KERNEL32.SetErrorMode(00008000) ret=00410b1f
0023:Ret KERNEL32.SetErrorMode() retval=00000000 ret=00410b1f
0023:Call KERNEL32.LoadLibraryA(005180c8 "COMCTL32.DLL") ret=00410b4e
0023:Ret KERNEL32.LoadLibraryA() retval=68660000 ret=00410b4e
...
0023:Call comctl32.151(0032f858) ret=00517e28
0023:Ret comctl32.151() retval=00000000 ret=00517e28
0023:Call user32.LoadStringA(00400000,0000fe92,0032e818,00001000) ret=00407fbb
0023:Ret user32.LoadStringA() retval=00000014 ret=00407fbb
0023:Call KERNEL32.RaiseException(0eedfade,00000001,00000007,0032f828)
ret=00517e48
0023:trace:seh:raise_exception code=eedfade flags=1 addr=0x7b838b5b ip=7b838b5b
tid=0023
0023:trace:seh:raise_exception info[0]=00517e48
0023:trace:seh:raise_exception info[1]=1a7b5620
0023:trace:seh:raise_exception info[2]=1a77d1d8
0023:trace:seh:raise_exception info[3]=00156654
0023:trace:seh:raise_exception info[4]=00156654
0023:trace:seh:raise_exception info[5]=0032f870
0023:trace:seh:raise_exception info[6]=0032f844
0023:trace:seh:raise_exception eax=7b826171 ebx=7b8a97a8 ecx=00517e48
edx=0032f744 esi=0032f828 edi=0032f7a0
0023:trace:seh:raise_exception ebp=0032f788 esp=0032f724 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00200203
--- snip ---
Debugging session:
--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x69524ed7 CreateMRUListLazyA+0x12c(lpcml=0x33f858, dwParam2=0, dwParam3=0,
dwParam4=0)
[/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:792] in
comctl32 (0x0033f838)
1 0x69524f4e CreateMRUListA+0x34(lpcml=0x33f858)
[/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:817] in
comctl32 (0x0033f838)
2 0x00517e28 in leonardo (+0x117e27) (0x0033f870)
3 0x00517c0d in leonardo (+0x117c0c) (0x0033f8b0)
4 0x004259c6 in leonardo (+0x259c5) (0x0033f8f4)
5 0x0042558b in leonardo (+0x2558a) (0x0033f944)
...
Wine-dbg>info locals
0x69524ed7 CreateMRUListLazyA+0x12c: (0033f838)
MRUINFOA* lpcml=0x33f858 (parameterESP)
DWORD dwParam2=0 (parameterESP)
DWORD dwParam3=0 (parameterESP)
DWORD dwParam4=0 (parameterESP)
LPWINEMRULIST mp=0x23 (localESP)
DWORD len=0x69524daf (localESP)
...
Wine-dbg>p *lpcml
{cbSize=0x4, uMax=0xa, fFlags=0, hKey=0x80000001, lpszSubKey="Leonardo",
u={string_cmpfn=(nil), binary_cmpfn=(nil)}}
--- snip ---
cbSize = 4 doesn't survive Wine's input check:
http://source.winehq.org/git/wine.git/blob/cefcadcc38fac636061bb70a64f367a97cb1b8bc:/dlls/comctl32/comctl32undoc.c#l735
--- snip ---
772 HANDLE WINAPI CreateMRUListLazyA (const MRUINFOA *lpcml, DWORD dwParam2,
773 DWORD dwParam3, DWORD dwParam4)
774 {
775 LPWINEMRULIST mp;
776 DWORD len;
777
778 /* Native does not check for a NULL lpcml */
779
780 if (lpcml->cbSize != sizeof(MRUINFOA) || !lpcml->hKey ||
781 IsBadStringPtrA(lpcml->lpszSubKey, -1))
782 return 0;
--- snip ---
The app checks the returned handle and if zero it throws external (Delphi)
exception (0xeedfade) which results in recursion, eating up the stack.
Pulling one of my JEDI mind tricks ... I found the JEDI source ;-)
http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.aspx
Specifically "procedure TJvMruList.Open":
http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.aspx#L579
--- snip ---
...
FList: THandle;
...
procedure TJvMruList.Open;
var
FLst: TMruRec;
begin
if csDesigning in ComponentState then
Exit;
if FSubKey <> '' then
begin
FLst.cbSize := SizeOf(FList);
FLst.nMaxItems := FMax;
...
if UseUnicode then
// Arioch changed this
FLst.lpszSubKeyW := PWideChar(FSubKey)
else
FLst.lpszSubKey := PChar(GetSubKey);
if UseUnicode then
// Arioch changed this
FList := CreateMruListW(@FLst)
else
FList := CreateMruList(@FLst);
if FList = 0 then
raise EMruException.Create(RC_ErrorMRU_Creating);
--- snip ---
"FLst.cbSize := SizeOf(FList);" will always evaluate to 4 bytes (sizeof
handle).
Looks like a bug in JEDI library component that Windows tolerates?
$ sha1sum ENVImet_V31BETA5setup.exe
03d362af9e9222c70c4b4db2741ede43a917dced ENVImet_V31BETA5setup.exe
$ wine --version
wine-1.3.35
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list