[Bug 5961] Microsoft Money 2006 trial installer causes heap error on exit (broken application)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Apr 6 07:16:55 CDT 2014
https://bugs.winehq.org/show_bug.cgi?id=5961
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |focht at gmx.net
Hardware|Other |x86
Resolution|--- |WONTFIX
Summary|MS Money 2006 trial setup |Microsoft Money 2006 trial
|causes heap err on exit |installer causes heap error
| |on exit (broken
| |application)
OS|other |Linux
--- Comment #12 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
There is nothing to fix here, it's a bug in the Microsoft installer.
One can unwrap the first installer and use the second-level installer directly.
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay ./mnyinst.exe /Licewarmup /BOOTSTRAPPERLAUNCH
>>log.txt 2>&1
...
0039:Call KERNEL32.LocalFree(0014cdd8) ret=0041b16d
0039:Ret KERNEL32.LocalFree() retval=00000000 ret=0041b16d
0039:Call KERNEL32.LocalFree(736f7263) ret=0041b1c4
0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b8467e0
ip=7b8467e0 tid=0039
0039:trace:seh:raise_exception info[0]=00000000
0039:trace:seh:raise_exception info[1]=736f7261
0039:trace:seh:raise_exception eax=736f7261 ebx=7b8bb000 ecx=9388d9af
edx=0033f9c0 esi=0033fb3c edi=0033fb14
0039:trace:seh:raise_exception ebp=0033fac8 esp=0033f9a0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0039:trace:seh:call_stack_handlers calling handler at 0x7b889fef code=c0000005
flags=0
0039:trace:seh:__regs_RtlUnwind code=c0000005 flags=2
0039:trace:seh:__regs_RtlUnwind calling handler at 0x7bc82489 code=c0000005
flags=2
0039:trace:seh:__regs_RtlUnwind handler at 0x7bc82489 returned 1
0039:err:heap:GlobalFree (0x736f7263): Page fault occurred ! Caused by bug ?
0039:Ret KERNEL32.LocalFree() retval=736f7263 ret=0041b1c4
--- snip ---
The installer uses instance data for each dialog page (eula, accept, progress,
finish) for which the pointer is stored in data segment.
After allocation of each dialog page instance block, a part of the block is
zero-initialized while other parts are simply filled with ui-object data
(window/brush handles), strings and pointers to other instance data.
Unfortunately while preparing the instance data for last 'finish' dialog page,
the last member of the structure [offset+0x19C] is not initialized (previous
pages had some ptr from one LocalAlloc() call stored here).
Dump of the block (0x1A0 bytes):
--- snip ---
$-8 004E4230 000001A0 .... ; heap block size
$-4 004E4234 00455355 USE. ; heap magic
$ ==> 004E4238 0041293C <)A. ; mnyinst.0041293C
$+4 004E423C 00000001 ...
$+8 004E4240 0000006E n...
$+C 004E4244 00000001 ....
$+10 004E4248 00000000 ....
$+14 004E424C FFFFFFFF ....
$+18 004E4250 00000000 ....
...
$+15C 004E4394 00000000 ....
$+160 004E4398 00000000 ....
$+164 004E439C 004E432C ,CN.
$+168 004E43A0 00000061 a...
$+16C 004E43A4 00000062 b...
$+170 004E43A8 00000000 ....
$+174 004E43AC 00070064 d...
$+178 004E43B0 004E008A Š.N.
$+17C 004E43B4 0036003D =.6. ; brush handle
$+180 004E43B8 00000000 ....
$+184 004E43BC 00000000 ....
$+188 004E43C0 00000002 ....
$+18C 004E43C4 001A05B0 ....
$+190 004E43C8 00000002 ....
$+194 004E43CC 001AAD20 ....
$+198 004E43D0 00000000 ....
$+19C 004E43D4 736F7263 cros ; leftover data from previous heap use
=== next block ===
$+1A0 004E43D8 000000A8 ¨... ; heap block size
$+1A4 004E43DC 00455355 USE. ; heap magic
--- snip ---
Code snippet which allocates and initializes the instance data:
--- snip ---
...
0041AAEE PUSH 1A0
0041AAF3 CALL <JMP.&MSVCR71.??2 at YAPAXI@Z> ; alloc instance data
0041AAF9 MOV ECX,EAX
0041AAFB MOV DWORD PTR SS:[EBP-10],ECX
0041AAFE CMP ECX,EDI
0041AB00 MOV DWORD PTR SS:[EBP-4],EDI
0041AB03 JE SHORT mnyinst.0041AB0F
0041AB05 CALL mnyinst.0041B098 ; instance data init #1
0041AB0A MOV DWORD PTR SS:[EBP-10],EAX
0041AB0D JMP SHORT mnyinst.0041AB12
0041AB0F MOV DWORD PTR SS:[EBP-10],EDI
0041AB12 MOV ECX,DWORD PTR SS:[EBP-10]
0041AB15 OR DWORD PTR SS:[EBP-4],FFFFFFFF
0041AB19 CMP ECX,EDI
0041AB1B JE mnyinst.0041ABDF
0041AB21 PUSH DWORD PTR SS:[EBP-14]
0041AB24 CALL mnyinst.0041B6DC ; instance data init #2 (bug)
0041AB29 PUSH DWORD PTR SS:[EBP-10] ; lParam
0041AB2C MOV EAX,DWORD PTR DS:[ESI+14]
0041AB2F MOV EAX,DWORD PTR DS:[EBX+EAX]
0041AB32 MOVZX EAX,WORD PTR DS:[EAX]
0041AB35 PUSH mnyinst.0041B50F ; pDlgProc = mnyinst.0041B50F
0041AB3A PUSH DWORD PTR DS:[42BDC4] ; hOwner
0041AB40 PUSH EAX ; pTemplate
0041AB41 PUSH DWORD PTR DS:[42B58C] ; hInst = 00400000
0041AB47 CALL DWORD PTR DS:[<&USER32.CreateDialogParamA>]
...
0041ABA4 PUSH 3 ; Flags = SWP_NOSIZE|SWP_NOMOVE
0041ABA6 PUSH EDI ; Height
0041ABA7 PUSH EDI ; Width
0041ABA8 PUSH EDI ; Y
0041ABA9 PUSH EDI ; X
0041ABAA PUSH EDI ; InsertAfter
0041ABAB PUSH ESI ; hWnd
0041ABAC CALL DWORD PTR DS:[<&USER32.SetWindowPos>]
0041ABB2 MOV EAX,DWORD PTR SS:[EBP-10]
0041ABB5 MOV DWORD PTR DS:[42BDD0],ESI
0041ABBB MOV DWORD PTR DS:[42BDD4],EAX ; save instance data ptr
...
--- snip ---
Upon exit the uninitialized value is passed to LocalFree().
Windows probably figures out the handle is invalid like Wine (maybe not the
'hard' way by causing a fault) hence the 'free' becomes a no-op.
Since there is no harm caused by this bug there is nothing to worry about.
Resolving 'wontfix'
$ sha1sum webinst.exe
586d1bbfe2cb7fc6fa116c439aba6b2c0a80c01e webinst.exe
$ du -sh webinst.exe
21M webinst.exe
$ wine --version
wine-1.7.16-1-gb772260
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list