[Bug 35877] ProShow Gold 5.0.3310 crashes on startup (TLS slot index allocation must start at non-zero indexes)

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Mar 27 14:02:46 CDT 2014 

http://bugs.winehq.org/show_bug.cgi?id=35877

--- Comment #3 from Khang <sitinh at gmail.com> ---
Hi Master

Can u tell me how to fix this bug step by step ? . I dont understand about code
. Can u help me , please ....




(In reply to Anastasius Focht from comment #2)
> Hello folks,
> 
> confirming.
> 
> Looks like another broken app with TLS slot index 0 access.
> 
> Windows implements a workaround for all broken apps, making TLS slot index 0
> unavailable for allocation through TLS API hence the crash is prevented.
> 
> --- snip ---
> $ pwd
> /home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold
> ...
> $ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1
> ...
> 0029:Starting process L"C:\\Program Files\\Photodex\\ProShow
> Gold\\pxplay.exe" (entryproc=0x9c1d60)
> ...
> 0029:Call KERNEL32.TlsAlloc() ret=009c3441
> 0029:Ret  KERNEL32.TlsAlloc() retval=00000000 ret=009c3441
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
> 0029:Ret  ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d
> 0029:Ret  ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d 
> ...
> 0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17
> 0029:Ret  KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17
> 0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a
> 0029:Ret  KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a
> 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a
> ip=0049680a tid=0029
> 0029:trace:seh:raise_exception  info[0]=00000000
> 0029:trace:seh:raise_exception  info[1]=01470258
> 0029:trace:seh:raise_exception  eax=0129b6c0 ebx=01460138 ecx=00bb9538
> edx=00bb9538 esi=00000000 edi=00000000
> 0029:trace:seh:raise_exception  ebp=00000000 esp=0033790c cs=0023 ds=002b
> es=002b fs=0063 gs=006b flags=00010202
> 0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005
> flags=0
> 0029:Call KERNEL32.GetLastError() ret=009c34a4
> 0029:Ret  KERNEL32.GetLastError() retval=00000000 ret=009c34a4
> 0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd
> wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a
> (thread 0029), starting debugger...
> 0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92"
> 0029:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd
> 0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1
> 0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03
> code=c0000005 flags=0
> 0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d
> 0029:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d
> 0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1
> Unhandled exception: page fault on read access to 0x01470258 in 32-bit code
> (0x0049680a).
> ...
> Backtrace:
> =>0 0x0049680a in pxplay (+0x9680a) (0x00000000)
> 0x0049680a: movl	0x10120(%ebx),%esi
> --- snip ---
> 
> The app code that allocates and sets the first slot:
> 
> --- snip ---
> 009C3435  PUSH ESI
> 009C3436  CALL 009C4D94
> 009C343B  CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>]
> 009C3441  CMP EAX,-1
> 009C3444  MOV DWORD PTR DS:[11A4EC4],EAX     ; index
> 009C3449  JE SHORT 009C3485
> 009C344B  PUSH 74
> 009C344D  PUSH 1
> 009C344F  CALL 009C32F8
> 009C3454  MOV ESI,EAX
> 009C3456  POP ECX
> 009C3457  TEST ESI,ESI
> 009C3459  POP ECX
> 009C345A  JZ SHORT 009C3485
> 009C345C  PUSH ESI                           ; value, buffer ptr
> 009C345D  PUSH DWORD PTR DS:[11A4EC4]        ; index
> 009C3463  CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>]
> 009C3469  TEST EAX,EAX
> 009C346B  JZ SHORT 009C3485
> ...
> --- snip ---
> 
> Unlike Windows, Wine happily gives slot index 0 to the app which writes a
> buffer pointer using TlsSetValue().
> The buffer (0x80 bytes) was allocated here:
> 
> --- snip ---
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
> 0029:Ret  ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
> --- snip ---
> 
> Offending app code:
> 
> --- snip ---
> 004967B0  MOV EAX,8150
> 004967B5  CALL 009BF760
> 004967BA  MOV EAX,DWORD PTR DS:[1249A30]
> 004967BF  PUSH EBX
> 004967C0  PUSH EBP
> 004967C1  PUSH ESI
> 004967C2  PUSH EDI
> 004967C3  PUSH EAX                              ; index => [0x1249A30] = 0
> 004967C4  CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>]
> 004967CA  MOV EBX,EAX
> 004967CC  XOR EBP,EBP
> 004967CE  CMP EBX,EBP
> 004967D0  JE SHORT 004967EB
> ...
> 0049680A  MOV ESI,DWORD PTR DS:[EBX+10120]      ; *boom*
> 00496810  JMP SHORT pxplay.00496817
> --- snip ---
> 
> The buggy app calls TlsGetValue(0) which returns the buffer pointer set by
> earlier code, as shown in snippet before.
> That code path at 0x49680A should never be reached if the app gets NULL for
> slot index 0 - which would be the case if the first slot is reserved by
> system.
> The app code accesses offset 0x10120 which causes the fault (buffer was
> allocated with 0x80 size).
> 
> $ sha1sum psgold_50_3310.exe 
> 10aaacabded20869391db41e296fd97cb833ffa1  psgold_50_3310.exe
> 
> $ du -sh psgold_50_3310.exe 
> 32M	psgold_50_3310.exe
> 
> $ wine --version
> wine-1.7.15-87-g5b55563
> 
> Regards
> 
> *** This bug has been marked as a duplicate of bug 20466 ***

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list