[Bug 34869] New: Microsoft Office 2013 full offline installer crashes on startup (TEB access with NULL TLS array pointer, failure to handle case where only late-bound modules have TLS directory)

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Nov 6 17:21:43 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=34869

             Bug #: 34869
           Summary: Microsoft Office 2013 full offline installer crashes
                    on startup (TEB access with NULL TLS array pointer,
                    failure to handle case where only late-bound modules
                    have TLS directory)
           Product: Wine
           Version: 1.7.5
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello folks,

as the summary says...

--- snip ---
...
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:00b51ce1 ESP:0033c754 EBP:0033c77c EFLAGS:00010282(  R- --  I S - - - )
 EAX:00000000 EBX:00000000 ECX:00000000 EDX:00cdeac8
 ESI:00e4d2a0 EDI:00000001
Stack dump:
0x0033c754:  b97c320d 00000001 00e4d2a0 00000000
0x0033c764:  00e58a88 0033c78c 0033c714 0033c798
0x0033c774:  00c54f38 ffffffff 0033c7a4 00b51678
0x0033c784:  b97c32d5 00000001 00e4d2a0 00000000
0x0033c794:  0033c784 0033cf04 00c54e11 00000002
0x0033c7a4:  0033c7c0 00a5f68d 00000000 00e3ecf0
000c: sel=0067 base=00000000 limit=00000000 16-bit --x
Backtrace:
=>0 0x00b51ce1 in osetup (+0x3e1ce1) (0x0033c77c)
  1 0x00b51678 in osetup (+0x3e1677) (0x0033c7a4)
  2 0x00a5f68d in osetup (+0x2ef68c) (0x0033c7c0)
  3 0x00a42d02 in osetup (+0x2d2d01) (0x0033cee0)
  4 0x00a391d4 in osetup (+0x2c91d3) (0x0033cf10)
  5 0x009ae85c in osetup (+0x23e85b) (0x0033f5c4)
  6 0x1002d3c7 in setup (+0x2d3c6) (0x0033fcd4)
  7 0x1002b0c3 in setup (+0x2b0c2) (0x0033fd74)
  8 0x004027f2 in setup (+0x27f1) (0x0033fd90)
  9 0x00402eb2 in setup (+0x2eb1) (0x0033fe20)
  10 0x7b863d4c call_process_entry+0xb() in kernel32 (0x0033fe38) 
...
0x00b51ce1: movl    0x0(%eax,%ecx,4),%edi
Modules:
Module    Address            Debug info    Name (84 modules)
PE      350000-  37f000    Deferred        osetupui
PE      400000-  434000    Export          setup
PE      770000-  e3b000    Export          osetup
PE    10000000-100d3000    Export          setup 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000023 (D) E:\setup.exe
    00000025    0
    00000024    0 <== 
--- snip ---

Crashing code:

--- snip ---
Wine-dbg>disas $EIP-0xC
0x00b51cd5: movl    %fs:0x2c,%eax
0x00b51cdb: movl    0x00ce69d8,%ecx
0x00b51ce1: movl    0x0(%eax,%ecx,4),%edi
--- snip ---

It's accessing a TEB with NULL TLS array pointer.

Wine's loader only allocates process-wide and per-thread structure for module
TLS storage if at least one of the initial modules has a TLS directory
(LdrInitializeThunk).
Unfortunately no early-bound module has TLS directory/section hence
"tls_module_count" is zero.
The DLL in question is late bound -> MODULE_DllThreadAttach -> alloc_thread_tls
-> (tls_module_count == 0).

Loader info for dll in question:

--- snip ---
...
0030:Call KERNEL32.LoadLibraryExW(00548640
L"E:\\omui.id-id\\OSETUP.DLL",00000000,00001000) ret=1002c2db
...
0030:trace:module:load_native_dll Trying native dll
L"E:\\omui.id-id\\OSETUP.DLL"
0030:trace:module:map_image mapped PE file at 0x770000-0xe3b000
0030:trace:module:map_image mapping section .text at 0x771000 off 400 size
51d200 virt 51d0e4 flags 60000020
0030:trace:module:map_image clearing 0xc8e200 - 0xc8f000
0030:trace:module:map_image mapping section .data at 0xc8f000 off 51d600 size
51400 virt 58d38 flags c0000040
0030:trace:module:map_image clearing 0xce0400 - 0xce1000
0030:trace:module:map_image mapping section .tls at 0xce8000 off 0 size 0 virt
9 flags c0000080
0030:trace:module:map_image mapping section .rsrc at 0xce9000 off 56ea00 size
118e00 virt 118db8 flags 40000040
0030:trace:module:map_image clearing 0xe01e00 - 0xe02000
0030:trace:module:map_image mapping section .reloc at 0xe02000 off 687800 size
38c00 virt 38bec flags 42000040
0030:trace:module:map_image clearing 0xe3ac00 - 0xe3b000
0030:trace:module:map_image relocating from 0x10000000-0x106cb000 to
0x770000-0xe3b000 
--- snip ---

$ wine --version
wine-1.7.5-336-gb43b7b6

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list