[Bug 30185] SuperPower 2 demo crashes on launch

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Feb 10 10:18:02 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=30185

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
          Component|-unknown                    |shell32

--- Comment #8 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

The app tries to read the icon resource 132 for 'Control Panel' from
shell32.dll via 'ExtractAssociatedIconW' which obviously fails because Wine
doesn't provide it.
Actually, there are multiple problems, the missing icon resource being the less
evil thing.

--- snip ---
$ WINEDEBUG=+tid,+seh,+relay,+resource,+icon wine ./joshua.exe >>log.txt 2>&1
...
0024:Starting thread proc 0x10051350 (arg=0x10092558)
0024:Call shell32.ExtractAssociatedIconW(00000000,10067e1c
L"shell32.dll",0083e9d8) ret=10056386
0024:Call user32.GetSystemMetrics(0000000b) ret=7e0cefb4
0024:Ret  user32.GetSystemMetrics() retval=00000020 ret=7e0cefb4
0024:Call user32.GetSystemMetrics(0000000c) ret=7e0cefc6
0024:Ret  user32.GetSystemMetrics() retval=00000020 ret=7e0cefc6
0024:Call user32.PrivateExtractIconsW(10067e1c
L"shell32.dll",00000089,00000020,00000020,0083e6c8,00000000,00000001,00000000)
ret=7e0cf0d5
0024:trace:icon:PrivateExtractIconsW L"shell32.dll" 137 32x32 0x83e6c8 (nil) 1
0x00000000
0024:trace:icon:ICO_ExtractIconExW L"shell32.dll", 137, 1 (nil) 0x00000000
0024:trace:icon:USER32_GetResourceTable 0x840000 0x83e4d0
0024:warn:icon:ICO_ExtractIconExW nIconIndex 137 is larger than iconDirCount 23
0024:Ret  user32.PrivateExtractIconsW() retval=00000000 ret=7e0cf0d5
0024:Call KERNEL32.GetModuleFileNameW(00000000,10067e1c,00000104) ret=7e0c3648
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf75129d1
ip=f75129d1 tid=0024
0024:trace:seh:raise_exception  info[0]=00000001
0024:trace:seh:raise_exception  info[1]=10067e1c
0024:trace:seh:raise_exception  eax=00115820 ebx=f7543970 ecx=00000054
edx=10067e20 esi=10067e1c edi=00000000
0024:trace:seh:raise_exception  ebp=0083e6c8 esp=0083e650 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0024:trace:seh:call_stack_handlers calling handler at 0x7bc9ecab code=c0000005
flags=0 
--- snip ---

During fallback lookup it tries to update the user-provided buffer for the
module name which is unfortunately living in .rdata section = read-only,
causing the fault.
The app supplies a constant string literal as buffer, hence it never assumes
the buffer is being written to.

Memory map of dll in question:

--- snip ---
Address    Size      Owner              Section  Description
...
10000000   00001000  ginger_s 10000000           PE header
10001000   00066000  ginger_s 10000000  .text    code
10067000   00029000  ginger_s 10000000  .rdata   imports,exports
10090000   00004000  ginger_s 10000000  .data    data
10094000   00001000  ginger_s 10000000  .rsrc    resources
10095000   0000B000  ginger_s 10000000  .reloc   relocations
...
--- snip ---

App code showing hard-coded buffer and instance handle:

--- snip ---
10056360 83EC 7C            SUB ESP,7C
10056363 53                 PUSH EBX
10056364 55                 PUSH EBP
10056365 56                 PUSH ESI
10056366 57                 PUSH EDI
10056367 8D4424 10          LEA EAX,DWORD PTR SS:[ESP+10]
1005636B 50                 PUSH EAX
1005636C 68 1C7E0610        PUSH ginger_s.10067E1C ; const WCHAR* "shell32.dll"
10056371 33ED               XOR EBP,EBP            
10056373 55                 PUSH EBP               ; hInstance = NULL
10056374 894C24 28          MOV DWORD PTR SS:[ESP+28],ECX
10056378 C74424 1C 89000000 MOV DWORD PTR SS:[ESP+1C],89
10056380 FF15 50730610      CALL DWORD PTR
DS:[<&SHELL32.ExtractAssociatedIconW>
...
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/e330a128d54613d2f7322cc3da2c8a5fea866992:/dlls/shell32/iconcache.c#l743

(the usual shell32 coding style/indenting inconsistencies aside)

--- snip ---
743 HICON WINAPI ExtractAssociatedIconW(HINSTANCE hInst, LPWSTR lpIconPath,
LPWORD lpiIcon)
744 {
745     HICON hIcon = NULL;
746     WORD wDummyIcon = 0;
747
748     TRACE("%p %s %p\n", hInst, debugstr_w(lpIconPath), lpiIcon);
749
750     if(lpiIcon == NULL)
751        lpiIcon = &wDummyIcon;
752
753     hIcon = ExtractIconW(hInst, lpIconPath, *lpiIcon);
754
755     if( hIcon < (HICON)2 )
756     { if( hIcon == (HICON)1 ) /* no icons found in given file */
...
768       if( hIcon == (HICON)1 )
769         *lpiIcon = 2; /* MSDOS icon - we found .exe but no icons in it */
770       else
771         *lpiIcon = 6; /* generic icon - found nothing */
772
773       if (GetModuleFileNameW(hInst, lpIconPath, MAX_PATH))
774         hIcon = LoadIconW(hInst, MAKEINTRESOURCEW(*lpiIcon));
775     }
776     return hIcon;
777 }
--- snip ---

MSDN:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms648067%28v=vs.85%29.aspx

Maybe on Windows the error path with user-buffer being updated is never hit due
to successful icon resource retrieval or a check is done if the user-buffer is
writeable.
Another explanation could be that the caller provided instance handle is not to
be used as fallback lookup.
It's not explicitly mentioned in remarks section of the function in MSDN where
the lookup sequence is explained.

$ sha1sum SP2Demo.zip 
fd589918790c82f363f9688842b59f0b7eab77b2  SP2Demo.zip

$ du -sh SP2Demo.zip 
165M    SP2Demo.zip

$ wine --version
wine-1.7.36-16-g748788f

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list