[Bug 35135] New: Air Video Server HD 1.x crashes on startup (NULL SERVER_INFO_101.sv101_comment returned from NetServerGetInfo)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Dec 15 14:55:22 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=35135

            Bug ID: 35135
           Summary: Air Video Server HD 1.x crashes on startup (NULL
                    SERVER_INFO_101.sv101_comment returned from
                    NetServerGetInfo)
           Product: Wine
           Version: 1.7.8
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: netapi32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
    Classification: Unclassified

Hello folks,

as the summary says ...

Prerequisite: Bonjour Print Services for Windows v2.x

Download: http://support.apple.com/downloads/DL999/en_US/BonjourPSSetup.exe

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/AirVideoServer HD

$ WINEDEBUG=+tid,+seh,+relay,+netapi32 wine ./AirVideoServerUI.exe >>log.txt
2>&1
...
003e:Call netapi32.NetServerGetInfo(00000000,00000065,026fe6f8) ret=00438847
003e:trace:netapi32:NetServerGetInfo (null) 101 0x26fe6f8
003e:Call KERNEL32.GetComputerNameW(026fe520,026fe654) ret=7e028081
003e:Ret  KERNEL32.GetComputerNameW() retval=00000001 ret=7e028081
003e:trace:netapi32:NetApiBufferAllocate (38, 0x26fe6f8)
003e:Call ntdll.RtlAllocateHeap(00110000,00000000,00000026) ret=7e02854b
003e:Ret  ntdll.RtlAllocateHeap() retval=01c997d8 ret=7e02854b
003e:Call KERNEL32.GetVersionExW(026fe540) ret=7e028113
003e:Ret  KERNEL32.GetVersionExW() retval=00000001 ret=7e028113
003e:Ret  netapi32.NetServerGetInfo() retval=00000000 ret=00438847
003e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x40f634 ip=0040f634
tid=003e
003e:trace:seh:raise_exception  info[0]=00000000
003e:trace:seh:raise_exception  info[1]=00000000
003e:trace:seh:raise_exception  eax=00000000 ebx=01c89fb0 ecx=026fe714
edx=00000001 esi=026fe714 edi=00000000
003e:trace:seh:raise_exception  ebp=026fe6e0 esp=026fe6d8 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246 
...
--- snip ---

Application code showing access of SERVER_INFO_101.sv101_comment member:

--- snip ---
...
0043882C   8D45 B8          LEA EAX,DWORD PTR SS:[EBP-48]
0043882F   50               PUSH EAX              ; bufptr
00438830   6A 65            PUSH 65               ; level: SERVER_INFO_101
00438832   6A 00            PUSH 0                ; servername 
00438834   C745 B4 00000000 MOV DWORD PTR SS:[EBP-4C],0
0043883B   C745 B8 00000000 MOV DWORD PTR SS:[EBP-48],0
00438842   E8 1F8B5D00      CALL <JMP.&NETAPI32.NetServerGetInfo>
00438847   85C0             TEST EAX,EAX
00438849   75 5C            JNZ SHORT AirVideo.004388A7
0043884B   8B45 B8          MOV EAX,DWORD PTR SS:[EBP-48] ; SERVER_INFO_101
0043884E   8D4D D4          LEA ECX,DWORD PTR SS:[EBP-2C]
00438851   FF70 14          PUSH DWORD PTR DS:[EAX+14]    ; *boom*
...
--- snip ---

Dump of structure returned from NetServerGetInfo():

--- snip ---
$+0      01C7B700 000001F4
$+4      01C7B704 01C7B718 ; UNICODE ptr "nexus4"
$+8      01C7B708 00000005
$+C      01C7B70C 00000001
$+10     01C7B710 00001000
$+14     01C7B714 00000000 ; sv101_comment
--- snip ---

MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370903%28v=vs.85%29.aspx

--- quote ---
typedef struct _SERVER_INFO_101 {
  DWORD  sv101_platform_id;
  LPWSTR sv101_name;
  DWORD  sv101_version_major;
  DWORD  sv101_version_minor;
  DWORD  sv101_type;
  LPWSTR sv101_comment;
} SERVER_INFO_101, *PSERVER_INFO_101, *LPSERVER_INFO_101;

...
sv101_comment

    Type: LPWSTR

    A pointer to a Unicode string specifying a comment describing the server.
The comment can be null.

--- quote ---

"can" ... sure ;-)

Maybe Wine could use an empty string by default to prevent applications from
crashing that directly access this member without checking for NULL.

Source:
http://source.winehq.org/git/wine.git/blob/8b5ec5bb4911842966534102a602b0f00c386f65:/dlls/netapi32/netapi32.c#l1050

--- snip ---
1018 NET_API_STATUS WINAPI NetServerGetInfo(LMSTR servername, DWORD level,
LPBYTE* bufptr)
1019 {
...
1047         if (ret == NERR_Success)
1048         {
1049             /* INFO_100 structure is a subset of INFO_101 */
1050             PSERVER_INFO_101 info = (PSERVER_INFO_101)*bufptr;
1051             OSVERSIONINFOW verInfo;
1052
1053             info->sv101_platform_id = PLATFORM_ID_NT;
1054             info->sv101_name = (LMSTR)(*bufptr + sizeof(SERVER_INFO_101));
1055             memcpy(info->sv101_name, computerName,
1056             computerNameLen * sizeof(WCHAR));
1057             verInfo.dwOSVersionInfoSize = sizeof(verInfo);
1058             GetVersionExW(&verInfo);
1059             info->sv101_version_major = verInfo.dwMajorVersion;
1060             info->sv101_version_minor = verInfo.dwMinorVersion;
1061             /* Use generic type as no wine equivalent of DC / Server */
1062             info->sv101_type = SV_TYPE_NT;
1063             info->sv101_comment = NULL;
1064        }
...

--- snip ---

$ sha1sum AirVideoServerHD-1.0.11.exe 
d1b58dea685bcce3381e29b9cc2fefda90f97389  AirVideoServerHD-1.0.11.exe

$ du -sh AirVideoServerHD-1.0.11.exe 
11M    AirVideoServerHD-1.0.11.exe

$ wine --version
wine-1.7.8-220-g0bef543

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list