[Bug 35021] New: League of Legends installer page faults in custom action during stackwalk (SymFromAddr with NULL displacement ptr)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Nov 30 05:20:32 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=35021

             Bug #: 35021
           Summary: League of Legends installer page faults in custom
                    action during stackwalk (SymFromAddr with NULL
                    displacement ptr)
           Product: Wine
           Version: 1.7.7
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dbghelp
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello folks,

I already mentioned this in bug 35011 ... not a big thing but it deserves it's
own bug.

The context capture/stack walk in custom action is done on purpose.

--- snip ---
003b:trace:msi:ACTION_CallDllFunction calling L"OnAiRemoveFilesUndoable" 
...
003b:Call dbghelp.SymGetModuleBase(ffffffff,7d4fd3f7) ret=7e458574
003b:Ret  dbghelp.SymGetModuleBase() retval=7d4d0000 ret=7e458574
003b:Call dbghelp.SymFunctionTableAccess(ffffffff,7d4fd3f7) ret=7e458515
003b:Ret  dbghelp.SymFunctionTableAccess() retval=00000000 ret=7e458515
003b:Ret  dbghelp.StackWalk() retval=00000001 ret=003b337f
003b:Call ntdll.RtlAllocateHeap(00bb0000,00000000,00000020) ret=003c8570
003b:Ret  ntdll.RtlAllocateHeap() retval=00bb41d0 ret=003c8570
003b:Call dbghelp.SymFromAddr(ffffffff,7d4fd3f7,00000000,00000000,00bb39a0)
ret=003b3844
003b:Call ntdll.RtlReAllocateHeap(00110000,00000000,01300030,0000ad88)
ret=7e45be05
003b:Ret  ntdll.RtlReAllocateHeap() retval=01300030 ret=7e45be05
003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7e45d158
ip=7e45d158 tid=003b
003b:trace:seh:raise_exception  info[0]=00000001
003b:trace:seh:raise_exception  info[1]=00000000
003b:trace:seh:raise_exception  eax=0000000b ebx=00000000 ecx=00000000
edx=00000000 esi=7d4fd3ec edi=00000000
003b:trace:seh:raise_exception  ebp=00ebca58 esp=00ebca20 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
003b:trace:seh:call_stack_handlers calling handler at 0x3d840d code=c0000005
flags=0 
...
003b:trace:seh:__regs_RtlUnwind handler at 0x3da946 returned 1
003b:trace:seh:__regs_RtlUnwind calling handler at 0x3cb818 code=c0000005
flags=2
003b:trace:seh:__regs_RtlUnwind handler at 0x3cb818 returned 1
003b:trace:seh:__regs_RtlUnwind calling handler at 0x7bc81a26 code=c0000005
flags=2
003b:trace:seh:__regs_RtlUnwind handler at 0x7bc81a26 returned 3
003b:Ret  ntdll.RtlUnwind() retval=00000000 ret=7d566735
003b:  eax=00000000 ebx=7d5c7000 ecx=00eba318 edx=00eba318 esi=00ebe8d0
edi=7d56674a ebp=00eb9e08 esp=00eb9dd8 ds=002b es=002b fs=0063 gs=006b
flags=00200216
003b:err:msi:ACTION_CallDllFunction Custom action
(L"C:\\users\\focht\\Temp\\msi5823.tmp":L"OnAiRemoveFilesUndoable") caused a
page fault: c0000005
003b:trace:msi:MsiCloseHandle 6
003b:trace:msi:MsiCloseHandle handle 6 destroyed
003b:Call KERNEL32.FreeLibrary(00390000) ret=7d4fd812
003b:Ret  KERNEL32.FreeLibrary() retval=00000001 ret=7d4fd812
003b:trace:msi:MsiCloseHandle 5
003b:trace:msi:MsiCloseHandle handle 5 destroyed
003b:Call ntdll.RtlFreeHeap(00110000,00000000,00914c28) ret=7d532a5a
003b:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7d532a5a
003b:Call oleaut32.SysFreeString(00914e24
L"C:\\users\\focht\\Temp\\msi5823.tmp") ret=7d4fd83c
003b:Ret  oleaut32.SysFreeString() retval=00000000 ret=7d4fd83c
003b:Call oleaut32.SysFreeString(0090404c L"OnAiRemoveFilesUndoable")
ret=7d4fd84a
003b:Ret  oleaut32.SysFreeString() retval=00000000 ret=7d4fd84a
003b:trace:msi:MsiCloseHandle 5
003b:trace:msi:DllThread custom action (3b) returned 0
003b:trace:msi:MsiCloseAllHandles  
--- snip ---

Wine unconditionally writes to the optional out parameter 'Displacement' in
SymFromAddr() for which the caller passes NULL, causing a page fault.

MSDN says:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms681323%28v=vs.85%29.aspx

--- quote ---
Displacement [out, optional]

    The displacement from the beginning of the symbol, or zero.
--- quote --- 

Source:
http://source.winehq.org/git/wine.git/blob/836b682ed3bff439f1264bc9cee4ecce6ca88bb2:/dlls/dbghelp/symbol.c#l1219

(fault caused in line 1232)

--- snip ---
1219 BOOL WINAPI SymFromAddr(HANDLE hProcess, DWORD64 Address,
1220                         DWORD64* Displacement, PSYMBOL_INFO Symbol)
1221 {
1222     struct module_pair pair;
1223     struct symt_ht* sym;
1224
1225     pair.pcs = process_find_by_handle(hProcess);
1226     if (!pair.pcs) return FALSE;
1227     pair.requested = module_find_by_addr(pair.pcs, Address, DMT_UNKNOWN);
1228     if (!module_get_debug(&pair)) return FALSE;
1229     if ((sym = symt_find_nearest(pair.effective, Address)) == NULL) return
FALSE;
1230
1231     symt_fill_sym_info(&pair, NULL, &sym->symt, Symbol);
1232     *Displacement = Address - Symbol->Address;
1233     return TRUE;
1234 }
--- snip ---

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list