[Bug 34716] HippoAnimator3 fails on startup, complains 'Invalid name' (GetTempPathW on poisoned stack buffer)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Nov 12 17:46:13 CST 2013 

http://bugs.winehq.org/show_bug.cgi?id=34716

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dotnet
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
          Component|-unknown                    |kernel32
            Summary|HippoAnimator3: Invalid     |HippoAnimator3 fails on
                   |name at installation        |startup, complains 'Invalid
                   |startup                     |name' (GetTempPathW on
                   |                            |poisoned stack buffer)
     Ever Confirmed|0                           |1

--- Comment #2 from Anastasius Focht <focht at gmx.net> 2013-11-12 17:46:13 CST ---
Hello folks,

confirming.

Prerequisite: 'winetricks -q dotnet20' (if Mono is not installed)

The installer writes a .NET app config file from its PE resource (good guy):

--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006f,0040c89c L"BINARY")
ret=00401431
002b:Ret  KERNEL32.FindResourceW() retval=004161f0 ret=00401431
002b:Call KERNEL32.LoadResource(00000000,004161f0) ret=0040143d
002b:Ret  KERNEL32.LoadResource() retval=00a63440 ret=0040143d
002b:Call KERNEL32.LockResource(00a63440) ret=00401444
002b:Ret  KERNEL32.LockResource() retval=00a63440 ret=00401444
002b:Call KERNEL32.SizeofResource(00000000,004161f0) ret=0040144e
002b:Ret  KERNEL32.SizeofResource() retval=000000db ret=0040144e
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401464
002b:Ret  KERNEL32.GetTempPathW() retval=00000014 ret=00401464
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\\users\\focht\\Temp\\",00000000) ret=00401473
002b:Ret  KERNEL32.CreateDirectoryW() retval=00000000 ret=00401473
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\\users\\focht\\Temp\\HippoAnimator3Update.exe.config",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004014e6
002b:Ret  KERNEL32.CreateFileW() retval=0000003c ret=004014e6
002b:Call KERNEL32.WriteFile(0000003c,00a63440,000000db,0033ee20,00000000)
ret=004014f7
002b:Ret  KERNEL32.WriteFile() retval=00000001 ret=004014f7
002b:Call KERNEL32.CloseHandle(0000003c) ret=004014fe
002b:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004014fe 
--- snip ---

Next, an embedded PE binary should be written out the same way (bad guy):

--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006e,0040c89c L"BINARY")
ret=00401312
002b:Ret  KERNEL32.FindResourceW() retval=004161e0 ret=00401312
002b:Call KERNEL32.LoadResource(00000000,004161e0) ret=0040131e
002b:Ret  KERNEL32.LoadResource() retval=00470820 ret=0040131e
002b:Call KERNEL32.LockResource(00470820) ret=00401325
002b:Ret  KERNEL32.LockResource() retval=00470820 ret=00401325
002b:Call KERNEL32.SizeofResource(00000000,004161e0) ret=0040132f
002b:Ret  KERNEL32.SizeofResource() retval=005f2c20 ret=0040132f
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401345
002b:Ret  KERNEL32.GetTempPathW() retval=00000014 ret=00401345
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\\users\\focht\\Temp\\",00000000) ret=00401354
002b:Ret  KERNEL32.CreateDirectoryW() retval=00000000 ret=00401354
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...,40000000,00000000,00000000,00000002,00000080,00000000)
ret=004013c3
002b:Ret  KERNEL32.CreateFileW() retval=ffffffff ret=004013c3
002b:Call KERNEL32.WriteFile(ffffffff,00470820,005f2c20,0033ee20,00000000)
ret=004013d4
002b:Ret  KERNEL32.WriteFile() retval=00000000 ret=004013d4
002b:Call KERNEL32.CloseHandle(ffffffff) ret=004013db
002b:Ret  KERNEL32.CloseHandle() retval=00000000 ret=004013db
002b:Call shell32.ShellExecuteExW(0033edc8) ret=004012be
002b:Call ntdll.RtlAllocateHeap(00110000,00000000,000005d8) ret=7e88fca5
002b:Ret  ntdll.RtlAllocateHeap() retval=0012b758 ret=7e88fca5
002b:Call shlwapi.PathFindExtensionW(0012b758
L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...)
ret=7e88e187
002b:Ret  shlwapi.PathFindExtensionW() retval=0012bd24 ret=7e88e187 
--- snip ---

The buffer for GetTempPathW() is allocated on stack and not pre-initialized.
After CreateDirectoryW() call, a copy loop is used to construct the final path
which gets passed to CreateFileW().
Due to the way the copy loop is coded, garbage characters from stack-based
buffer might get copied, resulting in malformed path.
>From there everything goes downhill.
Crappy coding at its best ...

Maybe Windows zero-terminates GetTempPathW() buffer up to max buffer size or it
just works by chance there (stack layout).

$ sha1sum HippoAnimator3.exe
0051b4a9c55e9c7e1c146e604068f7d730930dc7  HippoAnimator3.exe

$ du -sh HippoAnimator3.exe
7.3M    HippoAnimator3.exe

$ wine --version
wine-1.7.6-168-g8c94e27

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list