[Bug 30499] New: Avira AVG Free Edition 2012 (32/64-bit) installer crashes due to access of undocumented PEB field "UnicodeCaseTableData"

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Apr 21 14:17:18 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=30499

             Bug #: 30499
           Summary: Avira AVG Free Edition 2012 (32/64-bit) installer
                    crashes due to access of undocumented PEB field
                    "UnicodeCaseTableData"
           Product: Wine
           Version: 1.5.2
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello,

while trying out various 64-bit installers I came across this.
Not 64 bits issue but at least something that should be documented in a bug.

"AVG Anti-Virus Free 2012" installer from Avira crashes very early.
Happens with both, 32-bit and 64-bit versions (the crashing part is 32-bit for
both).

--- snip ---
$ wine avg_free_x64_all_2012_2127a4918.exe
fixme:ntdll:NtQuerySystemInformation (0x00000021,0x33fcb0,0x00000010,(nil))
stub
fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_INTERRUPT_INFORMATION
fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_INTERRUPT_INFORMATION
fixme:ntdll:NtQuerySystemInformation (0x0000002d,0x33fc90,0x00000020,(nil))
stub
fixme:ntdll:NtQueryInformationProcess (process=0xffffffff) Unimplemented
information class: ProcessDeviceMap
fixme:ntdll:NtQueryInformationProcess (process=0xffffffff) Unimplemented
information class: ProcessDeviceMap
wine: Unhandled page fault on read access to 0x00000002 at address 0x4bc966
(thread 0047), starting debugger...
...
Unhandled exception: page fault on read access to 0x00000002 in 32-bit code
(0x004bc966).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:004bc966 ESP:0033fb50 EBP:0033fb64 EFLAGS:00010246(  R- --  I  Z- -P- )
 EAX:00000000 EBX:0033fc80 ECX:00000007 EDX:00000007
 ESI:0033fc72 EDI:00000007
Stack dump:
0x0033fb50:  00000007 00be3342 00be3340 0033fc80
0x0033fb60:  0f241900 0033fb94 006414c8 0033fc72
0x0033fb70:  00be3342 00000007 00000007 00000000
0x0033fb80:  0033fc70 00be3310 00be3308 0033fc72
0x0033fb90:  00000008 0033fc34 00640aeb 0f2419d0
0x0033fba0:  00000008 0076fa64 0033fc00 00000000
Backtrace:
=>0 0x004bc966 in avgmfapx (+0xbc966) (0x0033fb64)
  1 0x006414c8 in avgmfapx (+0x2414c7) (0x0033fb94)
  2 0x00640aeb in avgmfapx (+0x240aea) (0x0033fc34)
--- snip ---

The crashing 32-bit process "avgmfapx.exe" can be run standalone after
unpacking to reproduce.

The installer accesses the undocumented "UnicodeCaseTableData" PEB field to do
what seems to be ANSI -> UNICODE conversion of strings.
I must admit, I'm completely baffled why they didn't use any Win32/ntdll API
for that task.

Installer code:

--- snip ---
004BC930  55                PUSH EBP
004BC931  8BEC              MOV EBP,ESP
004BC933  8B4D 10           MOV ECX,DWORD PTR SS:[EBP+10]
004BC936  8B55 14           MOV EDX,DWORD PTR SS:[EBP+14]
004BC939  83EC 08           SUB ESP,8
004BC93C  8BC1              MOV EAX,ECX
004BC93E  3BCA              CMP ECX,EDX
004BC940  76 02             JBE SHORT 004BC944
004BC942  8BC2              MOV EAX,EDX
004BC944  807D 18 00        CMP BYTE PTR SS:[EBP+18],0
004BC948  53                PUSH EBX
004BC949  56                PUSH ESI
004BC94A  8B75 08           MOV ESI,DWORD PTR SS:[EBP+8]
004BC94D  8D1C46            LEA EBX,[EAX*2+ESI]
004BC950  57                PUSH EDI
004BC951  895D F8           MOV DWORD PTR SS:[EBP-8],EBX
004BC954  0F85 F1000000     JNE 004BCA4B
004BC95A  64:A1 18000000    MOV EAX,DWORD PTR FS:[18] ; TEB
004BC960  8B40 30           MOV EAX,DWORD PTR DS:[EAX+30] ; PEB
004BC963  8B40 60           MOV EAX,DWORD PTR DS:[EAX+60] ;
UnicodeCaseTableData
004BC966  0FB778 02         MOVZX EDI,WORD PTR DS:[EAX+2] ; *boom*
004BC96A  8D7C78 04         LEA EDI,[EDI*2+EAX+4]
004BC96E  897D FC           MOV DWORD PTR SS:[EBP-4],EDI
004BC971  3BF3              CMP ESI,EBX
004BC973  0F83 FA000000     JNB 004BCA73
004BC979  8DA424 00000000   LEA ESP,[ESP]
004BC980  0FB70E            MOVZX ECX,WORD PTR DS:[ESI]
004BC983  8B55 0C           MOV EDX,DWORD PTR SS:[EBP+0C]
004BC986  0FB702            MOVZX EAX,WORD PTR DS:[EDX]
004BC989  66:8BD1           MOV DX,CX
...
--- snip ---

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html

--- snip ---
...
  PVOID                   AnsiCodePageData;
  PVOID                   OemCodePageData;
  PVOID                   UnicodeCaseTableData;
...
--- snip ---

PEB offset 0x60 is "UnicodeCaseTableData"

Download:
http://www.filehippo.com/de/download_avg_antivirus_64/download/8611bbb6e4123763fe74d0c42cc2d9f2/

$ du -sh avg_free_x86_all_2012_2127a4918.exe 
145M    avg_free_x86_all_2012_2127a4918.exe

$ du -sh avg_free_x64_all_2012_2127a4918.exe 
165M    avg_free_x64_all_2012_2127a4918.exe

$ sha1sum avg_free_x86_all_2012_2127a4918.exe
3430b467d762dad9ca2f232846e0d737c6755ab5  avg_free_x86_all_2012_2127a4918.exe

$ sha1sum avg_free_x64_all_2012_2127a4918.exe
wfa3f8c9daa70851bd5224a77d9936df52ce2fe8d  avg_free_x64_all_2012_2127a4918.exe

$ wine --version
wine-1.5.2-191-gd080774

I don't mind of this is a WONTFIX ;-)

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list