[Bug 29552] Tropico 3 installer crashes with -fno-omit-frame-pointer

Sat Jan 7 14:15:41 CST 2012

http://bugs.winehq.org/show_bug.cgi?id=29552

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|build-env                   |shell32

--- Comment #3 from Anastasius Focht <focht at gmx.net> 2012-01-07 14:15:41 CST ---
Hello GyB,

--- quote ---
The crash occurs with the default -O2.
--- quote ---

Ok, I was building with default compiler settings but not Fedora distribution
compiler flags ("rpm --eval %{optflags}" -> "-g -O2") hence I didn't get the
crash.
The optimization level leads to different stack usage/local variable values so
"-fomit-frame-pointer" actually hides another bug.

The problem is hidden in shell32 get_known_folder_path_by_id()

The installer calls IKnownFolder::GetPath() but doesn't initialize the out
parameter explicitly (lives on stack some frames up).
Depending on previous calls stack usage there is a chance to encounter garbage.

It looks for game tasks folder using IKnownFolderManager as part of gameux
registration.
"C:\users\Public\Microsoft\Windows\GameExplorer" doesn't exist in clean
WINEPREFIX.

--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x739da051 SHGetFolderPathAndSubDirW+0x5e1(hwndOwner=(nil), nFolder=0x58,
hToken=0x0(nil), dwFlags=0, pszSubPath=0x0(nil),
pszPath="C:\users\Public\Microsoft\Windows\GameExplorer")
[/home/focht/projects/wine/wine-git/dlls/shell32/shellpath.c:2252] in shell32
(0x00f5e384)
  1 0x739da8f1 SHGetFolderPathW+0x40(hwndOwner=(nil), nFolder=0x58,
hToken=0x0(nil), dwFlags=0,
pszPath="C:\users\Public\Microsoft\Windows\GameExplorer")
[/home/focht/projects/wine/wine-git/dlls/shell32/shellpath.c:2086] in shell32
(0x00f5e3b4)
  2 0x739dcb71 SHGetKnownFolderPath+0x1d0(rfid=0x168218, flags=0,
token=0x0(nil), path=0xf5e760)
[/home/focht/projects/wine/wine-git/dlls/shell32/shellpath.c:3033] in shell32
(0x00f5e624)
  3 0x739dcd9b get_known_folder_path_by_id+0x18a(folderId=0x168218,
lpRegistryPath=<internal error>, dwFlags=0, ppszPath=0xf5e760)
[/home/focht/projects/wine/wine-git/dlls/shell32/shellpath.c:3511] in shell32
(0x00f5e6d4)
  4 0x739dd67a knownfolder_GetPath+0x79(iface=0x168210, dwFlags=0,
ppszPath=0xf5e760)
[/home/focht/projects/wine/wine-git/dlls/shell32/shellpath.c:3534] in shell32
(0x00f5e724)
  5 0x00f6625a in games (+0x6259) (0x00f5e774)
--- snip ---

Because of this, the out parameter is never allocated/copied to.

Source:
http://source.winehq.org/git/wine.git/blob/a603e9871e21888216672003e2455dfac4a31716:/dlls/shell32/shellpath.c#l3489

If there was any regression it would be this commit:

http://source.winehq.org/git/wine.git/commitdiff/08186a9c26e954aea26ad0129cae35f24f18054e

which dereferenced "ppszPath" out parameter without looking at HRESULT value
(from SHGetKnownFolderPath -> SHGetFolderPathW ...).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.