[Bug 30329] New: Total Commander 8.0 64-bits beta installer crashes due to pointer truncation (image base address > 4 GiB)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Apr 1 11:01:13 CDT 2012


http://bugs.winehq.org/show_bug.cgi?id=30329

             Bug #: 30329
           Summary: Total Commander 8.0 64-bits beta installer crashes due
                    to pointer truncation (image base address > 4 GiB)
           Product: Wine
           Version: 1.5.1
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello,

the extracted installer "INSTALL.EXE" (64 bits PE binary) can be run alone from
"wc0" temp folder.
The installer tries to fill a list box with language strings.

--- snip ---
0026:Starting process L"Z:\\home\\focht\\Downloads\\wc0\\INSTALL.EXE"
(entryproc=0x14000cca0) 
...
0026:Call KERNEL32.GetPrivateProfileStringA(140019788 "languages",0022dc90
"18",140019786 "",0022dcf0,00000103,1400226c0
"Z:\\home\\focht\\Downloads\\wc0\\INSTALL.inf") ret=140001c0d
0026:Ret  KERNEL32.GetPrivateProfileStringA() retval=00000013 ret=140001c0d
0026:Call KERNEL32.GetLastError() ret=14000e5c0
0026:Ret  KERNEL32.GetLastError() retval=00000000 ret=14000e5c0
0026:Call KERNEL32.GetLastError() ret=14000e5c0
0026:Ret  KERNEL32.GetLastError() retval=00000000 ret=14000e5c0
0026:Call
user32.SendDlgItemMessageA(0001007e,00000064,00000180,00000000,0022dcf0)
ret=140001cd1
0026:Call window proc 0x7f45d4b788ef
(hwnd=0x10086,msg=LB_ADDSTRING,wp=00000000,lp=0022dcf0)
0026:Ret  window proc 0x7f45d4b788ef
(hwnd=0x10086,msg=LB_ADDSTRING,wp=00000000,lp=0022dcf0) retval=00000011
0026:Ret  user32.SendDlgItemMessageA() retval=00000011 ret=140001cd1
0026:Call user32.GetDlgItem(0001007e,00000004) ret=140001cfb
0026:Ret  user32.GetDlgItem() retval=0001008a ret=140001cfb
0026:Call user32.ShowWindow(0001008a,00000000) ret=140001d06
0026:Call window proc 0x7f45d4b78593
(hwnd=0x1008a,msg=WM_SHOWWINDOW,wp=00000000,lp=00000000)
0026:Ret  window proc 0x7f45d4b78593
(hwnd=0x1008a,msg=WM_SHOWWINDOW,wp=00000000,lp=00000000) retval=00000000
0026:Ret  user32.ShowWindow() retval=00000001 ret=140001d06
0026:Call
user32.SendDlgItemMessageA(0001007e,00000064,00000181,00000012,40019670)
ret=140001d30
0026:Call window proc 0x7f45d4b788ef
(hwnd=0x10086,msg=LB_INSERTSTRING,wp=00000012,lp=40019670)
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b8633f9
ip=7b8633f9 tid=0026
0026:trace:seh:raise_exception  info[0]=0000000000000000
0026:trace:seh:raise_exception  info[1]=0000000040019670
0026:trace:seh:raise_exception  rax=0000000000000000 rbx=0000000000000026
rcx=ffffffffffffffff rdx=0000000040019670
0026:trace:seh:raise_exception  rsi=0000000000000181 rdi=0000000040019670
rbp=000000000022d2d0 rsp=000000000022d1a0
0026:trace:seh:raise_exception   r8=0000000040019670  r9=00000000ffffffff
r10=0000000000000008 r11=000000399ab7c680
0026:trace:seh:raise_exception  r12=000000000001f0ac r13=00000001400226c0
r14=0000000000000000 r15=00000001400226c0
--- snip --- 

The reason for the crash is a 32 bit pointer truncation -> application bug.
Most likely the original code was Win32 and had been ported to Win64 with some
casts still in there.

(annotated)

--- snip ---
.text:0000000140001D0D  movsxd  rax, cs:dword_14001F030
.text:0000000140001D14  movsxd  r9, r11d ; wParam
.text:0000000140001D17  mov     edx, 64h ; nIDDlgItem
.text:0000000140001D1C  mov     r8d, 181h ; Msg, LB_INSERTSTRING
.text:0000000140001D22  mov     rcx, rdi ; hDlg
.text:0000000140001D25  mov     [rsp+20h], rax
.text:0000000140001D2A  call    cs:SendDlgItemMessageA
--- snip ---

The data reference (I only decoded the 32 bits part to show the 32 bit access):

--- snip ---
.data:000000014001F030 dword_14001F030 dd 40019670h
.data:000000014001F034                 db    1
.data:000000014001F035                 db    0
.data:000000014001F036                 db    0
.data:000000014001F037                 db    0
--- snip ---

Page fault address: 0000000040019670

If referenced as 64 bits -> 0x140019670 it would be correct: 

--- snip ---
.rdata:0000000140019670                 db  4Fh ; O
.rdata:0000000140019671                 db  74h ; t
.rdata:0000000140019672                 db  68h ; h
.rdata:0000000140019673                 db  65h ; e
.rdata:0000000140019674                 db  72h ; r
.rdata:0000000140019675                 db  20h
...
--- snip ---

Using "dumpbin" tool from Visual Studio/Express/SDK on executable gives:

--- snip ---
Dump of file INSTALL.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               5 number of sections
        4EE124C5 time date stamp Thu Dec 08 21:57:41 2011
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              23 characteristics
                   Relocations stripped
                   Executable
                   Application can handle large (>2GB) addresses

OPTIONAL HEADER VALUES
             20B magic # (PE32+)
            8.00 linker version
           17800 size of code
            D800 size of initialized data
               0 size of uninitialized data
            CCA0 entry point (000000014000CCA0)
            1000 base of code
       140000000 image base (0000000140000000 to 0000000140028FFF)
            1000 section alignment
             200 file alignment
            4.00 operating system version
            0.00 image version
            5.02 subsystem version
               0 Win32 version
           29000 size of image
             400 size of headers
           303B3 checksum
               2 subsystem (Windows GUI)
            8000 DLL characteristics
                   Terminal Server Aware
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           1D7D8 [      64] RVA [size] of Import Directory
           26000 [    23F8] RVA [size] of Resource Directory
           24000 [    10F8] RVA [size] of Exception Directory
           22400 [    1780] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
           19000 [     5E8] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory
--- snip ---

Section headers:

--- snip ---
SECTION HEADER #1
   .text name
   176BE virtual size
    1000 virtual address (0000000140001000 to 00000001400186BD)
   17800 size of raw data
     400 file pointer to raw data (00000400 to 00017BFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #2
  .rdata name
    5B1C virtual size
   19000 virtual address (0000000140019000 to 000000014001EB1B)
    5C00 size of raw data
   17C00 file pointer to raw data (00017C00 to 0001D7FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Section contains the following imports:

    KERNEL32.dll
             1400190D8 Import Address Table
             14001D918 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference
...
SECTION HEADER #3
   .data name
    4478 virtual size
   1F000 virtual address (000000014001F000 to 0000000140023477)
    1600 size of raw data
   1D800 file pointer to raw data (0001D800 to 0001EDFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write
...
SECTION HEADER #4
  .pdata name
    10F8 virtual size
   24000 virtual address (0000000140024000 to 00000001400250F7)
    1200 size of raw data
   1EE00 file pointer to raw data (0001EE00 to 0001FFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only
...
SECTION HEADER #5
   .rsrc name
    23F8 virtual size
   26000 virtual address (0000000140026000 to 00000001400283F7)
    2400 size of raw data
   20000 file pointer to raw data (00020000 to 000223FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only
--- snip ---

The image load base of 0x0000000140000000 (>4 GiB address space) is probably to
catch such 32 vs. 64 bits porting errors.
When pointers are stored as 32 bits they would truncate hence triggering page
fault as seen here.

I've looked into the Total Commander forum
(http://www.ghisler.ch/board/index.php?language=english) but didn't find any
bug reports about installer crashing on Win64 so I assume this installer
somehow runs despite the bug.

Would be nice if someone with Win64 could verify this.
Maybe the loader does something different on Win64?

Even if the bug is invalid it's probably good to have one bug to collect such
misbehaving apps. I suspect there are more apps out there.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list