[Bug 6775] Sony CD Architect 5.2 crashes on startup (msxml domdoc_createTextNode should access/treat input BSTR data as wide-character string)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue May 1 16:17:56 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=6775

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
          Component|-unknown                    |msxml3
            Summary|blank menus in cdarchitect  |Sony CD Architect 5.2
                   |5.2                         |crashes on startup (msxml
                   |                            |domdoc_createTextNode
                   |                            |should access/treat input
                   |                            |BSTR data as wide-character
                   |                            |string)
     Ever Confirmed|0                           |1

--- Comment #13 from Anastasius Focht <focht at gmx.net> 2012-05-01 16:17:56 CDT ---
Hello,

confirming the crash on startup.
If you use 'winetricks msxml3' the application works fine, explanation follows.

Prerequisite: 'winetricks -q mfc42'

--- snip ---
Unhandled exception: page fault on read access to 0x008da000 in 32-bit code
(0xf7597533).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:f7597533 ESP:028bd2c8 EBP:028bd2f8 EFLAGS:00010202(  R- --  I   - - - )
 EAX:008d9ffc EBX:f75fcff4 ECX:0044c6b9 EDX:028c8c40
 ESI:028bd630 EDI:00000000
...
Backtrace:
=>0 0xf7597533 __memcpy_ssse3_rep+0xd63() in libc.so.6 (0x028bd2f8)
  1 0x7e6a545a SysAllocStringByteLen+0x6f(str="{", len=0x455355)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/oleaut.c:369] in oleaut32
(0x028bd2f8)
  2 0x7e6f1527 VariantCopy+0x290(pvargDest=0x28bd468, pvargSrc=0x28bd560)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/variant.c:781] in oleaut32
(0x028bd368)
  3 0x7e6f19b4 VariantCopyInd+0x1b9(pvargDest=0x28bd468, pvargSrc=0x28bd560)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/variant.c:871] in oleaut32
(0x028bd3f8)
  4 0x7e6f20a5 VariantChangeTypeEx+0x2d8(pvargDest=0x28bd510,
pvargSrc=0x28bd560, lcid=0x400, wFlags=0, vt=0x8)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/variant.c:1041] in oleaut32
(0x028bd4b8)
  5 0x7e6f1dc2 VariantChangeType+0x49(pvargDest=0x28bd510, pvargSrc=0x28bd560,
wFlags=0, vt=0x8)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/variant.c:982] in oleaut32
(0x028bd4f8)
  6 0x7d084216 node_put_value+0x41(This=0x1d1048, value=0x28bd560)
[/home/focht/projects/wine/wine-git/dlls/msxml3/node.c:289] in msxml3
(0x028bd538)
  7 0x7d09e2dd domtext_put_data+0x9c(iface=0x1d1064,
data="{CCAC7B28-CA5C-4520-ABBB-184524C01A51}")
[/home/focht/projects/wine/wine-git/dlls/msxml3/text.c:617] in msxml3
(0x028bd588)
  8 0x7d06961b domdoc_createTextNode+0x14e(iface=0x13fd3a4,
data="{CCAC7B28-CA5C-4520-ABBB-184524C01A51}", text=0x28bd610)
[/home/focht/projects/wine/wine-git/dlls/msxml3/domdoc.c:1614] in msxml3
(0x028bd5e8)
  9 0x35c8ac6c in sfconfigmgr (+0x2ac6b) (0x013fc200)
  10 0x00000001 (0x35c9e950)
  11 0x35c628a0 in sfconfigmgr (+0x289f) (0x35c62940)
  12 0x08244c8b (0x0c24448b)
0xf7597533 __memcpy_ssse3_rep+0xd63 in libc.so.6: repe movq    0x0(%eax),%mm0
--- snip ---

There is a GUID-like string passed to domdoc_createTextNode().

The string is created as _wide_ character string within the application(!)
Dump of string data:

$+0 = (start) address of string passed through API

--- snip ---
$-4       00455355  
$ ==>     0043007B  {C
$+4       00410043  CA
$+8       00370043  C7
$+C       00320042  B2
$+10      002D0038  8-
$+14      00410043  CA
$+18      00430035  5C
$+1C      0034002D  -4
$+20      00320035  52
$+24      002D0030  0-
$+28      00420041  AB
$+2C      00420042  BB
$+30      0031002D  -1
$+34      00340038  84
$+38      00320035  52
$+3C      00430034  4C
$+40      00310030  01
$+44      00350041  A5
$+48      007D0031  1}
$+4C      F7790000  
$+50      006F0053  So
$+54      0079006E  ny
--- snip ---

At $-4 you see the heap magic "USE".
This is a clear indication that this string is _not_ a BSTR.

MSXML interface defines the string type to be BSTR.
Wine code accesses it as such:

SysStringByteLen -> return str ? *((DWORD*)str-1) : 0;

You can imagine that 0x00455355 is not really suitable as length ;-)

The real bug is in the application code.
I debugged it and found no code path that actually makes use of BSTR allocation
API (SysAllocXXX) for this parameter.

Interestingly with native msxml3 override (winetricks) the application call to
msxml to create a text node succeeds.

An educated guess: for whatever reason the input string is not accessed as BSTR
but as wide-character string, which avoids relying on garbage length ($-4).

Source:
http://source.winehq.org/git/wine.git/blob/e983db851888b900873153ce42921aee85b40b32:/dlls/msxml3/text.c#l606

domdoc_createTextNode -> domtext_put_data ...

This problem might apply to more methods that carry BSTR parameters but I think
getting domdoc_createTextNode -> domtext_put_data to work with pure WCHAR* data
should be ok.
To not change much code down the call tree maybe a temporary "real" BSTR could
be created as soon as possible from input "wide character" string.

$ du -sh cdarchitect52d-trial_enu.exe 
30M    cdarchitect52d-trial_enu.exe

$ sha1sum cdarchitect52d-trial_enu.exe 
045cfb932746810b2bfb52594f31926be11ebb73  cdarchitect52d-trial_enu.exe

$ wine --version
wine-1.5.3-73-g93a0ca7

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list