[Bug 23283] Cannot print my annual income tax return in ElsterFormular (crash)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jun 20 15:26:35 CDT 2010 

http://bugs.winehq.org/show_bug.cgi?id=23283


Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net




--- Comment #2 from Anastasius Focht <focht at gmx.net>  2010-06-20 15:26:34 ---
Hello,

Wine bug unearthed by an "ElsterFormular" application bug ;-)

Prerequisites: vcrun6 and some (free) pdf reader application to use "print
preview" (app internally exports/generates .pdf).

--- quote ---
wine: Unhandled exception 0xc0000409 at address 0x42f6e2 (thread 001c),
starting debugger...
--- quote ---

This exception is caused by the app's internal runtime detecting a stack
corruption (it uses stack security cookies).
Basically after calling shell32.FindExecutableW() the stack got corrupted.
For the interested how stack cookies work:
http://msdn.microsoft.com/en-us/library/aa290051.aspx

Annotated app callstack before entering shell32.FindExecutableW():

HINSTANCE WINAPI FindExecutableW(LPCWSTR lpFile, LPCWSTR lpDirectory, LPWSTR
lpResult)

--- snip app stack ---
003396BC       041CA512    lpFile = "C:\users\focht\Application
Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf"
003396C0       00000000    lpDirectory = NULL
003396C4       0033970C    lpResult = 0033970C
...
; lpResult buffer starts here
0033970C       00000000
...
; stack security cookie
0033980C       5A6E2810
; points to next SEH record
00339810       00339868
; structured exception handler
00339814       00444702
00339818       00000007
; return to caller
0033981C       004167C0
...
--- snip app stack ---

dlls/shell32/shlexec.c:FindExecutableW -> SHELL_FindExecutable()

SHELL_FindExecutableByOperation() is used to determine the executable to be
launched with certain registered filetype (.pdf extension registered):

--- snip dlls/shell32/shlexec.c ---
static UINT SHELL_FindExecutable(LPCWSTR lpPath, LPCWSTR lpFile, LPCWSTR
lpOperation,
                                 LPWSTR lpResult, int resultLen, LPWSTR key,
WCHAR **env, LPITEMIDLIST pidl, LPCWSTR args)
{

...
    if (*filetype)
    {
        /* pass the operation string to SHELL_FindExecutableByOperation() */
        retval = SHELL_FindExecutableByOperation(lpOperation, key, filetype,
command, sizeof(command));

    if (retval > 32)
    {
        DWORD finishedLen;
        SHELL_ArgifyW(lpResult, resultLen, command, xlpFile, pidl, args,
&finishedLen);
        if (finishedLen > resultLen)
        ERR("Argify buffer not large enough.. truncated\n");
...
--- snip dlls/shell32/shlexec.c ---

Resulting in -> ""C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe"
"%1"" (the pdf viewer I installed for this purpose).
Replacing "%1" -> "C:\users\focht\Application
Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf"

What happens is that the output buffer (lpResult) of FindExecutableW() caller
will actually contain two strings in argv-style: executable and file name up to
MAX_PATH.
This is wrong - the app buffer should never get the %1 (filename) parameter
(even if it's "invisible" due to null terminator in between) - it only
requested executable name - an unfortunate side effect of Wine's code sharing
at this place.

I already mentioned this Wine bug was unearthed by an application bug.
As you can see in annotated stack snippet, the application didn't bother to
provide what Microsoft suggests for lpResult: MAX_PATH length
(http://msdn.microsoft.com/en-us/library/bb776419.aspx).
Even if Wine fixes the problem by only copying executable path - if the pdf
executable path is long enough, it will most likely also corrupt the stack on
Windows.

Someone should tell these guys how to write "secure" software:
https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/738-BSI.html

But what can you expect from people that use german identifiers all over the
place for their classes, functions, variables and the like .. that's pure
coding horror (never heard of industry standards?).
Run the app with WINEDEBUG=+debugstr and see what I mean ...

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list