Crash when executing custom action in msi

Octavian Voicu octavian.voicu at gmail.com
Sun Apr 18 14:58:25 CDT 2010 

Hello,

I'm trying to get the Adobe Photoshop Elements 8.0 installer to work
and noticed the license screen doesn't show up when running the
installer using wine. A trace shows that a custom action
(CA_EULA_ExtractEulaFiles) generates a page fault.

The cause of the crash is that MsiGetActiveDatabase is called on a
remote handle that is actually a database handle (not a package handle
as expected). A simple proof of concept would be to call this from a
custom action handler in a dll:

MsiGetActiveDatabase(MsiGetActiveDatabase(hPackage));

MsiGetActiveDatabase will call msi_get_remote and cast the result to
IWineMsiRemotePackage, then call
IWineMsiRemotePackage_GetActiveDatabase. Because our handle is
actually a database handle, instead of calling mrp_GetActiveDatabase,
it will call mrd_GetPrimaryKeys. This leads to a crash (see attached
log).

The correct behavior for MsiGetActiveDatabase is to return 0 when
called with an invalid handle.

I made a patch for this (also attached). In order to check if the com
object is actually an IWineMsiRemotePackage, I compare the
IUnknown->lpVtbl pointer against msi_remote_package_vtbl. This looks a
bit messy, but I found no other way to do it. I'm posting the patch
here for review first.

Octavian
-------------- next part --------------
trace:msi:HANDLE_CustomType1 Calling function L"ExtractXHTML" from L"C:\\users\\octav\\Temp\\msi563a.tmp"
trace:msi:wait_thread_handle waiting for L"CA_EULA_ExtractEulaFiles"
trace:msi:DllThread custom action (2c) started
trace:msi:ACTION_CallDllFunction {e150f982-11e1-4d07-8ba4-fffea33844a8}
trace:msi:DllGetClassObject {ba26e6fa-4f27-4f56-953a-3f90272018aa} {00000001-0000-0000-c000-000000000046} 0xa0bea08
trace:msi:MsiCF_CreateInstance 0x7ee49888 (nil) {56d58b64-8780-4c22-a8bc-8b0b29e4a9f8} 0xa0bea04
trace:msi:alloc_msihandle 0x130728 -> 1
trace:loaddll:load_native_dll Loaded L"C:\\users\\octav\\Temp\\msi563a.tmp" at 0x10000000: native
trace:msi:alloc_msi_remote_handle 0x22b14c8 -> 2
trace:msi:ACTION_CallDllFunction calling L"ExtractXHTML"
trace:msi:MsiGetActiveDatabase (2)
trace:msi:MsiGetActiveDatabase (1)
trace:msi:alloc_msihandle 0x12f040 -> 3
trace:msi:alloc_msi_remote_handle 0x14cd58 -> 4
trace:msi:MsiGetActiveDatabase (4)
trace:msi:MsiDatabaseGetPrimaryKeysW 3 L"" 0x7ee2f738
trace:msi:MSI_DatabaseOpenViewW L"select * from `_Columns` where `Table` = ''" 0xa0bdd78
trace:msi:MSI_ParseSQL Parse returned 0
trace:msi:MSI_ViewExecute 0x1ec3488 (nil)
trace:msi:MSI_ViewFetch 0x1ec3488 0xa0bdd18
trace:msi:msi_view_get_row 0x12f040 0x243c360 0 0xa0bdd18
trace:msi:MSI_ViewClose 0x1ec3488
trace:msi:MSI_DatabaseGetPrimaryKeys Found 0 primary keys
trace:msi:MSI_ViewExecute 0x1ec3488 (nil)
trace:msi:MSI_ViewFetch 0x1ec3488 0xa0bdd18
trace:msi:msi_view_get_row 0x12f040 0x243c360 0 0xa0bdd18
trace:msi:MSI_ViewClose 0x1ec3488
trace:msi:msiobj_release object 0x1ec3488 destroyed
trace:msi:alloc_msihandle 0x243c330 -> 5
trace:seh:raise_exception code=c0000005 flags=0 addr=0x7edf4c78 ip=7edf4c78 tid=002c
trace:seh:raise_exception  info[0]=00000001
trace:seh:raise_exception  info[1]=7ee2f738
trace:seh:raise_exception  eax=00000005 ebx=7ee3cff4 ecx=00000000 edx=7ee2f738 esi=0012f040 edi=00000000
trace:seh:raise_exception  ebp=0a0bddf4 esp=0a0bdd9c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206
trace:seh:call_vectored_handlers calling handler at 0x7e343300 code=c0000005 flags=0
trace:seh:call_vectored_handlers handler at 0x7e343300 returned 0
trace:seh:call_stack_handlers calling handler at 0x1000d324 code=c0000005 flags=0
trace:seh:call_stack_handlers handler at 0x1000d324 returned 1
trace:seh:call_stack_handlers calling handler at 0x7ee20150 code=c0000005 flags=0
trace:seh:__regs_RtlUnwind code=c0000005 flags=2
trace:seh:__regs_RtlUnwind calling handler at 0x7bc71cf0 code=c0000005 flags=2
trace:seh:__regs_RtlUnwind handler at 0x7bc71cf0 returned 1
trace:seh:__regs_RtlUnwind calling handler at 0x1000d324 code=c0000005 flags=2
trace:seh:__regs_RtlUnwind handler at 0x1000d324 returned 1
err:msi:ACTION_CallDllFunction Custom action (L"C:\\users\\octav\\Temp\\msi563a.tmp":L"ExtractXHTML") caused a page fault: c0000005
trace:msi:MsiCloseHandle 2
trace:msi:MsiCloseHandle handle 2 destroyed
trace:loaddll:free_modref Unloaded module L"C:\\users\\octav\\Temp\\msi563a.tmp" : native
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-crash-in-MsiGetActiveDatabase.patch
Type: text/x-patch
Size: 1853 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20100418/70d44879/attachment.bin>

More information about the wine-devel mailing list