[Bug 30499] New: Avira AVG Free Edition 2012 (32/64-bit) installer crashes due to access of undocumented PEB field "UnicodeCaseTableData"
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Apr 21 14:17:18 CDT 2012
http://bugs.winehq.org/show_bug.cgi?id=30499
Bug #: 30499
Summary: Avira AVG Free Edition 2012 (32/64-bit) installer
crashes due to access of undocumented PEB field
"UnicodeCaseTableData"
Product: Wine
Version: 1.5.2
Platform: x86-64
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Classification: Unclassified
Hello,
while trying out various 64-bit installers I came across this.
Not 64 bits issue but at least something that should be documented in a bug.
"AVG Anti-Virus Free 2012" installer from Avira crashes very early.
Happens with both, 32-bit and 64-bit versions (the crashing part is 32-bit for
both).
--- snip ---
$ wine avg_free_x64_all_2012_2127a4918.exe
fixme:ntdll:NtQuerySystemInformation (0x00000021,0x33fcb0,0x00000010,(nil))
stub
fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_INTERRUPT_INFORMATION
fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_INTERRUPT_INFORMATION
fixme:ntdll:NtQuerySystemInformation (0x0000002d,0x33fc90,0x00000020,(nil))
stub
fixme:ntdll:NtQueryInformationProcess (process=0xffffffff) Unimplemented
information class: ProcessDeviceMap
fixme:ntdll:NtQueryInformationProcess (process=0xffffffff) Unimplemented
information class: ProcessDeviceMap
wine: Unhandled page fault on read access to 0x00000002 at address 0x4bc966
(thread 0047), starting debugger...
...
Unhandled exception: page fault on read access to 0x00000002 in 32-bit code
(0x004bc966).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:004bc966 ESP:0033fb50 EBP:0033fb64 EFLAGS:00010246( R- -- I Z- -P- )
EAX:00000000 EBX:0033fc80 ECX:00000007 EDX:00000007
ESI:0033fc72 EDI:00000007
Stack dump:
0x0033fb50: 00000007 00be3342 00be3340 0033fc80
0x0033fb60: 0f241900 0033fb94 006414c8 0033fc72
0x0033fb70: 00be3342 00000007 00000007 00000000
0x0033fb80: 0033fc70 00be3310 00be3308 0033fc72
0x0033fb90: 00000008 0033fc34 00640aeb 0f2419d0
0x0033fba0: 00000008 0076fa64 0033fc00 00000000
Backtrace:
=>0 0x004bc966 in avgmfapx (+0xbc966) (0x0033fb64)
1 0x006414c8 in avgmfapx (+0x2414c7) (0x0033fb94)
2 0x00640aeb in avgmfapx (+0x240aea) (0x0033fc34)
--- snip ---
The crashing 32-bit process "avgmfapx.exe" can be run standalone after
unpacking to reproduce.
The installer accesses the undocumented "UnicodeCaseTableData" PEB field to do
what seems to be ANSI -> UNICODE conversion of strings.
I must admit, I'm completely baffled why they didn't use any Win32/ntdll API
for that task.
Installer code:
--- snip ---
004BC930 55 PUSH EBP
004BC931 8BEC MOV EBP,ESP
004BC933 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
004BC936 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
004BC939 83EC 08 SUB ESP,8
004BC93C 8BC1 MOV EAX,ECX
004BC93E 3BCA CMP ECX,EDX
004BC940 76 02 JBE SHORT 004BC944
004BC942 8BC2 MOV EAX,EDX
004BC944 807D 18 00 CMP BYTE PTR SS:[EBP+18],0
004BC948 53 PUSH EBX
004BC949 56 PUSH ESI
004BC94A 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004BC94D 8D1C46 LEA EBX,[EAX*2+ESI]
004BC950 57 PUSH EDI
004BC951 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
004BC954 0F85 F1000000 JNE 004BCA4B
004BC95A 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] ; TEB
004BC960 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] ; PEB
004BC963 8B40 60 MOV EAX,DWORD PTR DS:[EAX+60] ;
UnicodeCaseTableData
004BC966 0FB778 02 MOVZX EDI,WORD PTR DS:[EAX+2] ; *boom*
004BC96A 8D7C78 04 LEA EDI,[EDI*2+EAX+4]
004BC96E 897D FC MOV DWORD PTR SS:[EBP-4],EDI
004BC971 3BF3 CMP ESI,EBX
004BC973 0F83 FA000000 JNB 004BCA73
004BC979 8DA424 00000000 LEA ESP,[ESP]
004BC980 0FB70E MOVZX ECX,WORD PTR DS:[ESI]
004BC983 8B55 0C MOV EDX,DWORD PTR SS:[EBP+0C]
004BC986 0FB702 MOVZX EAX,WORD PTR DS:[EDX]
004BC989 66:8BD1 MOV DX,CX
...
--- snip ---
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html
--- snip ---
...
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
...
--- snip ---
PEB offset 0x60 is "UnicodeCaseTableData"
Download:
http://www.filehippo.com/de/download_avg_antivirus_64/download/8611bbb6e4123763fe74d0c42cc2d9f2/
$ du -sh avg_free_x86_all_2012_2127a4918.exe
145M avg_free_x86_all_2012_2127a4918.exe
$ du -sh avg_free_x64_all_2012_2127a4918.exe
165M avg_free_x64_all_2012_2127a4918.exe
$ sha1sum avg_free_x86_all_2012_2127a4918.exe
3430b467d762dad9ca2f232846e0d737c6755ab5 avg_free_x86_all_2012_2127a4918.exe
$ sha1sum avg_free_x64_all_2012_2127a4918.exe
wfa3f8c9daa70851bd5224a77d9936df52ce2fe8d avg_free_x64_all_2012_2127a4918.exe
$ wine --version
wine-1.5.2-191-gd080774
I don't mind of this is a WONTFIX ;-)
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list