[Bug 35269] New: Mobile Master crashes on startup (array-index out of bounds for IFile_tid in scrrun get_typeinfo)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Dec 29 16:46:44 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=35269

            Bug ID: 35269
           Summary: Mobile Master crashes on startup (array-index out of
                    bounds for IFile_tid in scrrun get_typeinfo)
           Product: Wine
           Version: 1.7.9
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: scrrun
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
    Classification: Unclassified

Hello folks,

while verifying bug 27180 I stumbled into another problem :|

Relevant part of backtrace:

--- snip ---
Unhandled exception: page fault on read access to 0x00000001 in 32-bit code
(0xf7550803).
...
Backtrace:
=>0 0xf7550803 __memcmp_sse4_2+0x163() in libc.so.6 (0x0033e488)
  1 0x7e713a8e ITypeLib2_fnGetTypeInfoOfGuid+0xcd(iface=<couldn't compute
location>, guid=<couldn't compute location>, ppTInfo=<couldn't compute
location>) [/home/focht/projects/wine/wine-git/dlls/oleaut32/typelib.c:4960] in
oleaut32 (0x0033e488)
  2 0x7ded5435 get_typeinfo+0x81(tid=IFile_tid, typeinfo=0x33e548)
[/home/focht/projects/wine/wine-build32/dlls/scrrun/../../include/oaidl.h:2669]
in scrrun (0x0033e508)
  3 0x7ded0ad7 file_GetIDsOfNames+0xba(iface=<couldn't compute location>,
riid=<couldn't compute location>, rgszNames=<couldn't compute location>,
cNames=<couldn't compute location>, lcid=<couldn't compute location>,
rgDispId=<couldn't compute location>)
[/home/focht/projects/wine/wine-git/dlls/scrrun/filesystem.c:704] in scrrun
(0x0033e588)
  4 0x72a478d1 in msvbvm60 (+0x1078d0) (0x0033e5b8)
  5 0x72a48336 in msvbvm60 (+0x108335) (0x0033e5e4)
  6 0x72a410e0 in msvbvm60 (+0x1010df) (0x0033f848)
  7 0x72991d33 in msvbvm60 (+0x51d32) (0x0033f854)
  8 0x004454e4 in mobilemaster (+0x454e3) (0x0033f864)
...
0xf7550803 __memcmp_sse4_2+0x163 in libc.so.6: movl    0xfffffff0(%edx),%ebx
Modules:
Module    Address            Debug info    Name (72 modules)
PE      400000-  bc6000    Export          mobilemaster
PE    113d0000-114c0000    Deferred        tssofficemenu1d
PE    72940000-72a93000    Export          msvbvm60
ELF    7b800000-7ba61000    Dwarf           kernel32<elf>
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000024 MMStarter.exe
    00000025    0
00000026 (D) C:\Program Files\Mobile Master\MobileMaster.exe
    00000029    0
    00000028    0
    00000027    0 <== 
--- snip ---

Trace log with +ole gives a bit of hint ...

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Mobile Master

$ WINEDEBUG=+tid,+seh,+relay,+scrrun,+typelib wine ./MMStarter.exe >>log.txt
2>&1
...

0026:trace:scrrun:file_GetIDsOfNames
(0x152b538)->({00000000-0000-0000-0000-000000000000} 0x33e5c0 1 1033 0x33e5c4)
0026:trace:ole:ITypeLib2_fnGetTypeInfoOfGuid 0x173af8 <guid-0x0001> 0x33e4c4
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf748d803
ip=f748d803 tid=0026
0026:trace:seh:raise_exception  info[0]=00000000
0026:trace:seh:raise_exception  info[1]=00000001
0026:trace:seh:raise_exception  eax=001773d8 ebx=f748d800 ecx=42c642c1
edx=00000011 esi=0033e4a0 edi=7deecda0
0026:trace:seh:raise_exception  ebp=0033e488 esp=0033e428 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010287
--- snip ---

Strange GUID in second parameter of ITypeLib2_fnGetTypeInfoOfGuid() ;-)

Source:
http://source.winehq.org/git/wine.git/blob/a29d77088ac2b07fb68d84646be2884f49e9df7a:/dlls/scrrun/scrrun_private.h#l24

--- snip ---
24 typedef enum tid_t
25 {
26     NULL_tid,
27     IDictionary_tid,
28     IFileSystem3_tid,
29     IFolder_tid,
30     ITextStream_tid,
31     IFile_tid,
32     LAST_tid
33 } tid_t;
--- snip ---

The corresponding array and referencing code:

Source:
http://source.winehq.org/git/wine.git/blob/a29d77088ac2b07fb68d84646be2884f49e9df7a:/dlls/scrrun/scrrun.c#l103

--- snip ---
103 static REFIID tid_ids[] = {
104     &IID_NULL,
105     &IID_IDictionary,
106     &IID_IFileSystem3,
107     &IID_IFolder,
108     &IID_IFile
109 };

...

127 HRESULT get_typeinfo(tid_t tid, ITypeInfo **typeinfo)
128 {
...
136     if(!typeinfos[tid]) {
137         ITypeInfo *ti;
138
139         hres = ITypeLib_GetTypeInfoOfGuid(typelib, tid_ids[tid], &ti);
140         if(FAILED(hres)) {
141             ERR("GetTypeInfoOfGuid(%s) failed: %08x\n",
debugstr_guid(tid_ids[tid]), hres);
142         }
144
...
151 }
--- snip ---

'ITextStream_tid' was added with commit
http://source.winehq.org/git/wine.git/commitdiff/49a8d4ecb0cb868451c7ba3ded34d4e69248d8c4
but the array was not synchronized leading to out-of-bound indexing for
'IFile_tid'.

$ sha1sum MobileMasterInst.exe 
0bedc83c67f4a0181aac916150457f395f095526  MobileMasterInst.exe

$ du -sh MobileMasterInst.exe 
21M    MobileMasterInst.exe

$ wine --version
wine-1.7.9-209-gb231b4b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list