[Bug 35877] ProShow Gold 5.0.3310 crashes on startup (TLS slot index allocation must start at non-zero indexes)
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Mar 27 14:02:46 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=35877
--- Comment #3 from Khang <sitinh at gmail.com> ---
Hi Master
Can u tell me how to fix this bug step by step ? . I dont understand about code
. Can u help me , please ....
(In reply to Anastasius Focht from comment #2)
> Hello folks,
>
> confirming.
>
> Looks like another broken app with TLS slot index 0 access.
>
> Windows implements a workaround for all broken apps, making TLS slot index 0
> unavailable for allocation through TLS API hence the crash is prevented.
>
> --- snip ---
> $ pwd
> /home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold
> ...
> $ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1
> ...
> 0029:Starting process L"C:\\Program Files\\Photodex\\ProShow
> Gold\\pxplay.exe" (entryproc=0x9c1d60)
> ...
> 0029:Call KERNEL32.TlsAlloc() ret=009c3441
> 0029:Ret KERNEL32.TlsAlloc() retval=00000000 ret=009c3441
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
> 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d
> 0029:Ret ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d
> ...
> 0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17
> 0029:Ret KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17
> 0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a
> 0029:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a
> 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a
> ip=0049680a tid=0029
> 0029:trace:seh:raise_exception info[0]=00000000
> 0029:trace:seh:raise_exception info[1]=01470258
> 0029:trace:seh:raise_exception eax=0129b6c0 ebx=01460138 ecx=00bb9538
> edx=00bb9538 esi=00000000 edi=00000000
> 0029:trace:seh:raise_exception ebp=00000000 esp=0033790c cs=0023 ds=002b
> es=002b fs=0063 gs=006b flags=00010202
> 0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005
> flags=0
> 0029:Call KERNEL32.GetLastError() ret=009c34a4
> 0029:Ret KERNEL32.GetLastError() retval=00000000 ret=009c34a4
> 0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd
> wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a
> (thread 0029), starting debugger...
> 0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92"
> 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd
> 0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1
> 0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03
> code=c0000005 flags=0
> 0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d
> 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d
> 0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1
> Unhandled exception: page fault on read access to 0x01470258 in 32-bit code
> (0x0049680a).
> ...
> Backtrace:
> =>0 0x0049680a in pxplay (+0x9680a) (0x00000000)
> 0x0049680a: movl 0x10120(%ebx),%esi
> --- snip ---
>
> The app code that allocates and sets the first slot:
>
> --- snip ---
> 009C3435 PUSH ESI
> 009C3436 CALL 009C4D94
> 009C343B CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>]
> 009C3441 CMP EAX,-1
> 009C3444 MOV DWORD PTR DS:[11A4EC4],EAX ; index
> 009C3449 JE SHORT 009C3485
> 009C344B PUSH 74
> 009C344D PUSH 1
> 009C344F CALL 009C32F8
> 009C3454 MOV ESI,EAX
> 009C3456 POP ECX
> 009C3457 TEST ESI,ESI
> 009C3459 POP ECX
> 009C345A JZ SHORT 009C3485
> 009C345C PUSH ESI ; value, buffer ptr
> 009C345D PUSH DWORD PTR DS:[11A4EC4] ; index
> 009C3463 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>]
> 009C3469 TEST EAX,EAX
> 009C346B JZ SHORT 009C3485
> ...
> --- snip ---
>
> Unlike Windows, Wine happily gives slot index 0 to the app which writes a
> buffer pointer using TlsSetValue().
> The buffer (0x80 bytes) was allocated here:
>
> --- snip ---
> 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
> 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
> --- snip ---
>
> Offending app code:
>
> --- snip ---
> 004967B0 MOV EAX,8150
> 004967B5 CALL 009BF760
> 004967BA MOV EAX,DWORD PTR DS:[1249A30]
> 004967BF PUSH EBX
> 004967C0 PUSH EBP
> 004967C1 PUSH ESI
> 004967C2 PUSH EDI
> 004967C3 PUSH EAX ; index => [0x1249A30] = 0
> 004967C4 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>]
> 004967CA MOV EBX,EAX
> 004967CC XOR EBP,EBP
> 004967CE CMP EBX,EBP
> 004967D0 JE SHORT 004967EB
> ...
> 0049680A MOV ESI,DWORD PTR DS:[EBX+10120] ; *boom*
> 00496810 JMP SHORT pxplay.00496817
> --- snip ---
>
> The buggy app calls TlsGetValue(0) which returns the buffer pointer set by
> earlier code, as shown in snippet before.
> That code path at 0x49680A should never be reached if the app gets NULL for
> slot index 0 - which would be the case if the first slot is reserved by
> system.
> The app code accesses offset 0x10120 which causes the fault (buffer was
> allocated with 0x80 size).
>
> $ sha1sum psgold_50_3310.exe
> 10aaacabded20869391db41e296fd97cb833ffa1 psgold_50_3310.exe
>
> $ du -sh psgold_50_3310.exe
> 32M psgold_50_3310.exe
>
> $ wine --version
> wine-1.7.15-87-g5b55563
>
> Regards
>
> *** This bug has been marked as a duplicate of bug 20466 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list