[Bug 22829] Sysinternals RAMMap crashes (shell32.CommandLineToArgvW needs to include terminating NULL element in returned array of pointers)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Apr 7 06:07:25 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=22829

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                URL|http://download.sysinternal |http://technet.microsoft.co
                   |s.com/Files/RAMMap.zip      |m/en-us/sysinternals/ff7002
                   |                            |29
          Component|-unknown                    |shell32
                 CC|                            |focht at gmx.net
     Ever Confirmed|0                           |1
            Summary|Sysinternals RAMMap crashes |Sysinternals RAMMap crashes
                   |                            |(shell32.CommandLineToArgvW
                   |                            |needs to include
                   |                            |terminating NULL element in
                   |                            |returned array of pointers)

--- Comment #4 from Anastasius Focht <focht at gmx.net> 2012-04-07 06:07:25 CDT ---
Hello,

confirming. It seems the app expects CommandLineToArgvW() to return a
terminating NULL element in returned array of pointers.

MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb776391%28v=vs.85%29.aspx

There is a comment in community section (non Microsoft) stating:

--- quote ---
No extra NULL element
Unlike main and wmain, CommandLineToArgvW does not have an extra element of
argv[argc] == NULL. Trying to do this will result in reading past the end of
the pointer list. 
--- quote ---

This doesn't seem true.

The application code does _exactly_ that: ignoring the returned "argc" value
and looping through returned pointer list to look for terminating NULL element.

Relevant application code, annotated:

--- snip ---
0040EB18  33FF            XOR EDI,EDI
...
0040EB45  8D4424 44       LEA EAX,[LOCAL.165] ; __out  int *pNumArgs
0040EB49  50              PUSH EAX
0040EB4A  897C24 14       MOV DWORD PTR SS:[LOCAL.178],EDI
0040EB4E  FF15 50B24200   CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineW>]
0040EB54  50              PUSH EAX ; lpCmdLine
0040EB55  FF15 ACB24200   CALL DWORD PTR DS:[<&SHELL32.CommandLineToArgvW>]
0040EB5B  8BF0            MOV ESI,EAX
0040EB5D  897C24 14       MOV DWORD PTR SS:[LOCAL.177],EDI ; local_argc = 0
0040EB61  393E            CMP DWORD PTR DS:[ESI],EDI ; argv[0] == NULL ?
0040EB63  0F84 8A000000   JE 0040EBF3
0040EB69  8BDE            MOV EBX,ESI
arg_store_loop:
0040EB6B  68 F8164300     PUSH OFFSET 004316F8
...
0040EB97  FF4424 14       INC DWORD PTR SS:[LOCAL.177]
...
0040EBD9  8B4424 14       MOV EAX,DWORD PTR SS:[LOCAL.177]
0040EBDD  8D1C86          LEA EBX,[EAX*4+ESI]
0040EBE0  833B 00         CMP DWORD PTR DS:[EBX],0
0040EBE3  75 86           JNE SHORT 0040EB6B ; arg_store_loop
--- snip ---

Calling the app with some arguments:

--- snip ---
$ wine ./RAMMap.exe arg1 arg2 arg3
--- snip ---

Dump of corresponding memory block Wine returns (heap metadata prepended for
convenience) 

--- snip ---
0012C438   00000078   
0012C43C   00455355   USE
0012C440   0012C450   ; UNICODE "Z:\home\focht\Downloads\RAMMap.exe"
0012C444   0012C49A   ; UNICODE "arg1"
0012C448   0012C4A4   ; UNICODE "arg2"
0012C44C   0012C4AE   ; UNICODE "arg3"
0012C450   003A005A   Z :
0012C454   0068005C   \ h
0012C458   006D006F   o m
0012C45C   005C0065   e \
0012C460   006F0066   f o
0012C464   00680063   c h
0012C468   005C0074   t \
0012C46C   006F0044   D o
0012C470   006E0077   w n
0012C474   006F006C   l o
0012C478   00640061   a d
0012C47C   005C0073   s \
0012C480   00410052   R A
0012C484   004D004D   M M
0012C488   00700061   a p
0012C48C   0065002E   . e
0012C490   00650078   x e
0012C494   00220000   
0012C498   00610020     a
0012C49C   00670072   r g
0012C4A0   00000031   1
0012C4A4   00720061   a r
0012C4A8   00320067   g 2
0012C4AC   00610000     a
0012C4B0   00670072   r g
0012C4B4   00000033   3
--- snip ---

Iteration 5: "argv[4]" -> 0x0012C450 -> dereference: 0x003A005A (already part
of argv[0] string).
The address is mapped by chance (thread stack at 0x3A0000) not triggering page
fault.

Iteration 6: "argv[5]" -> 0x0012C454 -> dereference: 0x0068005C
This virtual address is not mapped, triggering fault, crashing the app.

Source:
http://source.winehq.org/git/wine.git/blob/f445325999ebf3afd0b7df0e5c1a31eebe7b8b0c:/dlls/shell32/shell32_main.c#l57

RAMMap v1.11 By Mark Russinovich and Bryce Cogswell
Published: May 18, 2011

$ sha1sum RAMMap.exe 
7f24fc771549d159d1ae4b3ea6e314750ce07a70  RAMMap.exe

$ wine --version
wine-1.5.1-169-g1c62c9f

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list