[Bug 34716] HippoAnimator3 fails on startup, complains 'Invalid name' (GetTempPathW on poisoned stack buffer)
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Nov 12 17:46:13 CST 2013
http://bugs.winehq.org/show_bug.cgi?id=34716
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |dotnet
Status|UNCONFIRMED |NEW
CC| |focht at gmx.net
Component|-unknown |kernel32
Summary|HippoAnimator3: Invalid |HippoAnimator3 fails on
|name at installation |startup, complains 'Invalid
|startup |name' (GetTempPathW on
| |poisoned stack buffer)
Ever Confirmed|0 |1
--- Comment #2 from Anastasius Focht <focht at gmx.net> 2013-11-12 17:46:13 CST ---
Hello folks,
confirming.
Prerequisite: 'winetricks -q dotnet20' (if Mono is not installed)
The installer writes a .NET app config file from its PE resource (good guy):
--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006f,0040c89c L"BINARY")
ret=00401431
002b:Ret KERNEL32.FindResourceW() retval=004161f0 ret=00401431
002b:Call KERNEL32.LoadResource(00000000,004161f0) ret=0040143d
002b:Ret KERNEL32.LoadResource() retval=00a63440 ret=0040143d
002b:Call KERNEL32.LockResource(00a63440) ret=00401444
002b:Ret KERNEL32.LockResource() retval=00a63440 ret=00401444
002b:Call KERNEL32.SizeofResource(00000000,004161f0) ret=0040144e
002b:Ret KERNEL32.SizeofResource() retval=000000db ret=0040144e
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401464
002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401464
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\\users\\focht\\Temp\\",00000000) ret=00401473
002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401473
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\\users\\focht\\Temp\\HippoAnimator3Update.exe.config",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004014e6
002b:Ret KERNEL32.CreateFileW() retval=0000003c ret=004014e6
002b:Call KERNEL32.WriteFile(0000003c,00a63440,000000db,0033ee20,00000000)
ret=004014f7
002b:Ret KERNEL32.WriteFile() retval=00000001 ret=004014f7
002b:Call KERNEL32.CloseHandle(0000003c) ret=004014fe
002b:Ret KERNEL32.CloseHandle() retval=00000001 ret=004014fe
--- snip ---
Next, an embedded PE binary should be written out the same way (bad guy):
--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006e,0040c89c L"BINARY")
ret=00401312
002b:Ret KERNEL32.FindResourceW() retval=004161e0 ret=00401312
002b:Call KERNEL32.LoadResource(00000000,004161e0) ret=0040131e
002b:Ret KERNEL32.LoadResource() retval=00470820 ret=0040131e
002b:Call KERNEL32.LockResource(00470820) ret=00401325
002b:Ret KERNEL32.LockResource() retval=00470820 ret=00401325
002b:Call KERNEL32.SizeofResource(00000000,004161e0) ret=0040132f
002b:Ret KERNEL32.SizeofResource() retval=005f2c20 ret=0040132f
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401345
002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401345
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\\users\\focht\\Temp\\",00000000) ret=00401354
002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401354
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...,40000000,00000000,00000000,00000002,00000080,00000000)
ret=004013c3
002b:Ret KERNEL32.CreateFileW() retval=ffffffff ret=004013c3
002b:Call KERNEL32.WriteFile(ffffffff,00470820,005f2c20,0033ee20,00000000)
ret=004013d4
002b:Ret KERNEL32.WriteFile() retval=00000000 ret=004013d4
002b:Call KERNEL32.CloseHandle(ffffffff) ret=004013db
002b:Ret KERNEL32.CloseHandle() retval=00000000 ret=004013db
002b:Call shell32.ShellExecuteExW(0033edc8) ret=004012be
002b:Call ntdll.RtlAllocateHeap(00110000,00000000,000005d8) ret=7e88fca5
002b:Ret ntdll.RtlAllocateHeap() retval=0012b758 ret=7e88fca5
002b:Call shlwapi.PathFindExtensionW(0012b758
L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...)
ret=7e88e187
002b:Ret shlwapi.PathFindExtensionW() retval=0012bd24 ret=7e88e187
--- snip ---
The buffer for GetTempPathW() is allocated on stack and not pre-initialized.
After CreateDirectoryW() call, a copy loop is used to construct the final path
which gets passed to CreateFileW().
Due to the way the copy loop is coded, garbage characters from stack-based
buffer might get copied, resulting in malformed path.
>From there everything goes downhill.
Crappy coding at its best ...
Maybe Windows zero-terminates GetTempPathW() buffer up to max buffer size or it
just works by chance there (stack layout).
$ sha1sum HippoAnimator3.exe
0051b4a9c55e9c7e1c146e604068f7d730930dc7 HippoAnimator3.exe
$ du -sh HippoAnimator3.exe
7.3M HippoAnimator3.exe
$ wine --version
wine-1.7.6-168-g8c94e27
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list