[Bug 22829] Sysinternals RAMMap crashes (shell32.CommandLineToArgvW needs to include terminating NULL element in returned array of pointers)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Apr 7 06:07:25 CDT 2012
http://bugs.winehq.org/show_bug.cgi?id=22829
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
URL|http://download.sysinternal |http://technet.microsoft.co
|s.com/Files/RAMMap.zip |m/en-us/sysinternals/ff7002
| |29
Component|-unknown |shell32
CC| |focht at gmx.net
Ever Confirmed|0 |1
Summary|Sysinternals RAMMap crashes |Sysinternals RAMMap crashes
| |(shell32.CommandLineToArgvW
| |needs to include
| |terminating NULL element in
| |returned array of pointers)
--- Comment #4 from Anastasius Focht <focht at gmx.net> 2012-04-07 06:07:25 CDT ---
Hello,
confirming. It seems the app expects CommandLineToArgvW() to return a
terminating NULL element in returned array of pointers.
MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb776391%28v=vs.85%29.aspx
There is a comment in community section (non Microsoft) stating:
--- quote ---
No extra NULL element
Unlike main and wmain, CommandLineToArgvW does not have an extra element of
argv[argc] == NULL. Trying to do this will result in reading past the end of
the pointer list.
--- quote ---
This doesn't seem true.
The application code does _exactly_ that: ignoring the returned "argc" value
and looping through returned pointer list to look for terminating NULL element.
Relevant application code, annotated:
--- snip ---
0040EB18 33FF XOR EDI,EDI
...
0040EB45 8D4424 44 LEA EAX,[LOCAL.165] ; __out int *pNumArgs
0040EB49 50 PUSH EAX
0040EB4A 897C24 14 MOV DWORD PTR SS:[LOCAL.178],EDI
0040EB4E FF15 50B24200 CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineW>]
0040EB54 50 PUSH EAX ; lpCmdLine
0040EB55 FF15 ACB24200 CALL DWORD PTR DS:[<&SHELL32.CommandLineToArgvW>]
0040EB5B 8BF0 MOV ESI,EAX
0040EB5D 897C24 14 MOV DWORD PTR SS:[LOCAL.177],EDI ; local_argc = 0
0040EB61 393E CMP DWORD PTR DS:[ESI],EDI ; argv[0] == NULL ?
0040EB63 0F84 8A000000 JE 0040EBF3
0040EB69 8BDE MOV EBX,ESI
arg_store_loop:
0040EB6B 68 F8164300 PUSH OFFSET 004316F8
...
0040EB97 FF4424 14 INC DWORD PTR SS:[LOCAL.177]
...
0040EBD9 8B4424 14 MOV EAX,DWORD PTR SS:[LOCAL.177]
0040EBDD 8D1C86 LEA EBX,[EAX*4+ESI]
0040EBE0 833B 00 CMP DWORD PTR DS:[EBX],0
0040EBE3 75 86 JNE SHORT 0040EB6B ; arg_store_loop
--- snip ---
Calling the app with some arguments:
--- snip ---
$ wine ./RAMMap.exe arg1 arg2 arg3
--- snip ---
Dump of corresponding memory block Wine returns (heap metadata prepended for
convenience)
--- snip ---
0012C438 00000078
0012C43C 00455355 USE
0012C440 0012C450 ; UNICODE "Z:\home\focht\Downloads\RAMMap.exe"
0012C444 0012C49A ; UNICODE "arg1"
0012C448 0012C4A4 ; UNICODE "arg2"
0012C44C 0012C4AE ; UNICODE "arg3"
0012C450 003A005A Z :
0012C454 0068005C \ h
0012C458 006D006F o m
0012C45C 005C0065 e \
0012C460 006F0066 f o
0012C464 00680063 c h
0012C468 005C0074 t \
0012C46C 006F0044 D o
0012C470 006E0077 w n
0012C474 006F006C l o
0012C478 00640061 a d
0012C47C 005C0073 s \
0012C480 00410052 R A
0012C484 004D004D M M
0012C488 00700061 a p
0012C48C 0065002E . e
0012C490 00650078 x e
0012C494 00220000
0012C498 00610020 a
0012C49C 00670072 r g
0012C4A0 00000031 1
0012C4A4 00720061 a r
0012C4A8 00320067 g 2
0012C4AC 00610000 a
0012C4B0 00670072 r g
0012C4B4 00000033 3
--- snip ---
Iteration 5: "argv[4]" -> 0x0012C450 -> dereference: 0x003A005A (already part
of argv[0] string).
The address is mapped by chance (thread stack at 0x3A0000) not triggering page
fault.
Iteration 6: "argv[5]" -> 0x0012C454 -> dereference: 0x0068005C
This virtual address is not mapped, triggering fault, crashing the app.
Source:
http://source.winehq.org/git/wine.git/blob/f445325999ebf3afd0b7df0e5c1a31eebe7b8b0c:/dlls/shell32/shell32_main.c#l57
RAMMap v1.11 By Mark Russinovich and Bryce Cogswell
Published: May 18, 2011
$ sha1sum RAMMap.exe
7f24fc771549d159d1ae4b3ea6e314750ce07a70 RAMMap.exe
$ wine --version
wine-1.5.1-169-g1c62c9f
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list