[Bug 35273] PotPlayer 1.5.x crashes when loading video file (FilterGraph_create releases/destroys controlling IUnknown)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Dec 30 08:07:45 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=35273

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
          Component|-unknown                    |quartz
            Summary|PotPlayer Crashes When      |PotPlayer 1.5.x crashes
                   |Loading Video File          |when loading video file
                   |                            |(FilterGraph_create
                   |                            |releases/destroys
                   |                            |controlling IUnknown)
     Ever confirmed|0                           |1

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Workaround: 'winetricks -q quartz'

Relevant part of trace log:

NOTE: There is lots of interleaving heap activity from multiple threads,
filtered out for the important thread.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Daum/PotPlayer

$ WINEDEBUG=+tid,+seh,+relay,+heap,+quartz,+olemalloc wine ./PotPlayerMini.exe
>>log.txt 2>&1
...
0039:Call ntdll.RtlAllocateHeap(00747000,00000000,00000128) ret=105c89ac
0039:trace:heap:RtlAllocateHeap (0x747000,70000062,00000128): returning
0x1378940
0039:Ret  ntdll.RtlAllocateHeap() retval=01378940 ret=105c89ac 
...
0039:Call ole32.CoCreateInstance(107dbfdc,01378940,00000017,1075cb90,01378974)
ret=1033fd30 
...
0039:trace:quartz:DSCF_CreateInstance
(0x5718638)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1378974)
0039:trace:quartz:FilterGraph_create (0x1378940,0xf4e3dc) 
...
0039:Call ole32.CoCreateInstance(f5a7620c,01378940,00000001,f5a7af88,001ed340)
ret=1033fd30 
...
0039:trace:quartz:DSCF_CreateInstance
(0x20c020)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1ed340)
0039:trace:quartz:FilterMapper2_create (0x1378940, 0xf4e1ec) 
...
0039:trace:quartz:Inner_QueryInterface
(0x20e7b8)->({b79bb0b0-33c1-11d1-abe1-00a0c905f375}, 0x1ed344)
0039:Call KERNEL32.InterlockedIncrement(01378948) ret=1058c08f
0039:Ret  KERNEL32.InterlockedIncrement() retval=00000001 ret=1058c08f
0039:Call KERNEL32.InterlockedDecrement(01378948) ret=1058c0b0
0039:Ret  KERNEL32.InterlockedDecrement() retval=00000000 ret=1058c0b0
0039:Call ntdll.RtlDeleteCriticalSection(01378a1c) ret=102f9951
0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x5686770): returning TRUE
0039:Ret  ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9951
0039:Call ntdll.RtlDeleteCriticalSection(0137895c) ret=102f9a0d
0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x56efe80): returning TRUE
0039:Ret  ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9a0d
0039:Call KERNEL32.InterlockedDecrement(10c1e928) ret=1058bedb
0039:Ret  KERNEL32.InterlockedDecrement() retval=00000004 ret=1058bedb
0039:Call ntdll.RtlFreeHeap(00747000,00000000,01378940) ret=105c839e
0039:trace:heap:RtlFreeHeap (0x747000,70000062,0x1378940): returning TRUE
0039:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=105c839e 
...
0039:Ret  ole32.CoCreateInstance() retval=00000000 ret=1033fd30
0039:Call ntdll.RtlAllocateHeap(00747000,00000000,0000005e) ret=105c89ac
0039:err:heap:HEAP_ValidateInUseArena Heap 0x747000: free block 0x1378940
overwritten at 0x1378940 by 107afa00
...
<crash>
--- snip ---

The problem seems to be the release of the controlling IUnknown in
FilterGraph_create() -> memory block: 0x1378940

After returning from CoCreateInstance() sequences to app code, the memory block
is initialized with some vtable and other data members.
The value 0x107afa00 looks like some function offset to 'addref' located in
'potplayer.dll' (references InterlockedIncrement() somewhere in code).
Similar with offsets following ... 0x107afa04 = 'release' like function with
InterlockedDecrement(), indicating IUnknown.

Source:
http://source.winehq.org/git/wine.git/blob/bacd9abbc0bb53993b4ee9b370bf33548f3e6780:/dlls/quartz/filtergraph.c#l5615

Line 5685

--- snip ---
5615 /* This is the only function that actually creates a FilterGraph class...
*/
5616 HRESULT FilterGraph_create(IUnknown *pUnkOuter, LPVOID *ppObj)
5617 {
5618     IFilterGraphImpl *fimpl;
5619     HRESULT hr;
5620
5621     TRACE("(%p,%p)\n", pUnkOuter, ppObj);
5622
5623     *ppObj = NULL;
5624
5625     fimpl = CoTaskMemAlloc(sizeof(*fimpl));
...
5675     /* create Filtermapper aggregated. */
5676     hr = CoCreateInstance(&CLSID_FilterMapper2, fimpl->outer_unk,
CLSCTX_INPROC_SERVER, &IID_IUnknown, (void**)&fimpl->punkFilterMapper2);
5678
5679     if (SUCCEEDED(hr))
5680         hr = IUnknown_QueryInterface(fimpl->punkFilterMapper2,
&IID_IFilterMapper2, (void**)&fimpl->pFilterMapper2);
5682
5683     if (SUCCEEDED(hr))
5684         /* Release controlling IUnknown - compensate refcount increase
from caching IFilterMapper2 interface. */
5685         IUnknown_Release(fimpl->outer_unk);
...
5698     *ppObj = &fimpl->IUnknown_inner;
5699     return S_OK;
5700 }
--- snip ---

Tidbit: the app hooks various win32 API (including ole), though that doesn't
seem to cause harm.

Example: 'CoCreateInstance'

--- snip ---
7ECD7AFC  E9 7F7F6691     JMP 1033FA80
7ECD7B01  E4 F0           IN AL,0F0
7ECD7B03  FF71 FC         PUSH DWORD PTR DS:[ECX-4]
7ECD7B06  55              PUSH EBP
--- snip ---

$ sha1sum PotPlayer1.5.40688.EXE 
e9f1295ff03634c61db2964f87988c7e0ff0481d  PotPlayer1.5.40688.EXE

$ du -sh PotPlayer1.5.40688.EXE 
16M    PotPlayer1.5.40688.EXE

$ wine --version
wine-1.7.9-209-gb231b4b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list