[Bug 19241] winemenubuilder crashes during extraction of high-res Windows Vista+ 256x256 PNG compressed icon resources

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jul 5 15:07:21 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=19241

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|winemenubuilder crashes     |winemenubuilder crashes
                   |when running any            |during extraction of
                   |application including       |high-res Windows Vista+
                   |notepad                     |256x256 PNG compressed icon
                   |                            |resources

--- Comment #10 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming. Embarrassingly this bug exists for some years now.

I have 'winemenubuilder' disabled by default hence I didn't get those
occasional crashes other people reported.

New bug reports with 'winemenubuilder' crashes appeared recently so I took an
interest in this :)

In the case of the 'InnoSetup' installer there exist two icon groups in
resource directory:

#1 "MAINICON"

--- snip ---
16 x 16 (256 colors) - Ordinal name: 1
32 x 32 (256 colors) - Ordinal name: 2
48 x 48 (256 colors) - Ordinal name: 3
16 x 16 (16.8mil colors) - Ordinal name: 4
32 x 32 (16.8mil colors) - Ordinal name: 5
48 x 48 (16.8mil colors) - Ordinal name: 6
128 x 128 (16.8mil colors) - Ordinal name: 7
256 x 256 (16.8mil colors) - Ordinal name: 8
--- snip ---

#2 "1"

--- snip ---
16 x 16 (256 colors) - Ordinal name: 9
32 x 32 (256 colors) - Ordinal name: 10
48 x 48 (256 colors) - Ordinal name: 11
16 x 16 (16.8mil colors) - Ordinal name: 12
32 x 32 (16.8mil colors) - Ordinal name: 13
48 x 48 (16.8mil colors) - Ordinal name: 14
128 x 128 (16.8mil colors) - Ordinal name: 15
256 x 256 (16.8mil colors) - Ordinal name: 16
--- snip ---

Relevant part of trace log:

--- snip ---
...
0028:Call KERNEL32.LoadLibraryExW(0033e71c L"C:\\Program Files\\Inno Setup
5\\Compil32.exe",00000000,00000002) ret=7edb5790
0028:Ret  KERNEL32.LoadLibraryExW() retval=00340001 ret=7edb5790
0028:Call KERNEL32.EnumResourceNamesW(00340001,0000000e,7edb56f2,0033d9c0)
ret=7edb5934
0028:trace:resource:EnumResourceNamesW 0x340001 #000e 0x7edb56f2 33d9c0
0028:trace:resource:LdrFindResourceDirectory_U module 0x340001 type #000e name 
lang 0000 level 1
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5600 id 000e ret
0x3a58a8
0028:Call KERNEL32.FindResourceW(00340001,00136c88 L"MAINICON",0000000e)
ret=7edb573d
0028:trace:resource:FindResourceExW 0x340001 #000e L"MAINICON" 0000
0028:trace:resource:LdrFindResource_U module 0x340001 type #000e name
L"MAINICON" lang 0000 level 3
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5600 id 000e ret
0x3a58a8
0028:trace:resource:find_entry_by_name root 0x3a5600 dir 0x3a58a8 name
L"MAINICON" ret 0x3a5ec8
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5ec8 id 0000 not
found
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5ec8 id 0409 ret
0x3a6308
0028:Ret  KERNEL32.FindResourceW() retval=003a6308 ret=7edb573d
0028:Ret  KERNEL32.EnumResourceNamesW() retval=00000000 ret=7edb5934
0028:Call KERNEL32.LoadResource(00340001,003a6308) ret=7edb59b5
0028:trace:resource:LoadResource 0x340001 0x3a6308
0028:Ret  KERNEL32.LoadResource() retval=003fa5dc ret=7edb59b5
0028:Call KERNEL32.LockResource(003fa5dc) ret=7edb59d0
0028:Ret  KERNEL32.LockResource() retval=003fa5dc ret=7edb59d0 
0028:Call ntdll.RtlAllocateHeap(00110000,00000000,00055fc0) ret=7edb494b
0028:Ret  ntdll.RtlAllocateHeap() retval=00137200 ret=7edb494b
0028:Call ntdll.RtlAllocateHeap(00110000,00000000,00000080) ret=7edb49dc
0028:Ret  ntdll.RtlAllocateHeap() retval=0018d1c8 ret=7edb49dc 
0028:Call ole32.CreateStreamOnHGlobal(00000000,00000001,0033d8ec) ret=7edb4a59
...
--- snip ---

Icon group "MAINICON" resources #1 .. #8

--- snip ---
...
0028:Call KERNEL32.FindResourceW(00340001,00000001,00000003) ret=7edb4699
0028:trace:resource:FindResourceExW 0x340001 #0003 #0001 0000
0028:trace:resource:LdrFindResource_U module 0x340001 type #0003 name #0001
lang 0000 level 3
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5600 id 0003 ret
0x3a5708
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5708 id 0001 ret
0x3a5aa8
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5aa8 id 0000 not
found
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5aa8 id 0409 not
found
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5aa8 id 0009 not
found
0028:Ret  KERNEL32.FindResourceW() retval=003a6048 ret=7edb4699
0028:Call KERNEL32.LoadResource(00340001,003a6048) ret=7edb46bb
0028:trace:resource:LoadResource 0x340001 0x3a6048
0028:Ret  KERNEL32.LoadResource() retval=003a81f0 ret=7edb46bb
0028:Call KERNEL32.LockResource(003a81f0) ret=7edb46d6
0028:Ret  KERNEL32.LockResource() retval=003a81f0 ret=7edb46d6
0028:Call KERNEL32.FreeResource(003a81f0) ret=7edb4889
0028:Ret  KERNEL32.FreeResource() retval=00000000 ret=7edb4889 
...
0028:trace:resource:FindResourceExW 0x340001 #0003 #0008 0000
0028:trace:resource:LdrFindResource_U module 0x340001 type #0003 name #0008
lang 0000 level 3
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5600 id 0003 ret
0x3a5708
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5708 id 0008 ret
0x3a5b50
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5b50 id 0000 not
found
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5b50 id 0409 not
found
0028:trace:resource:find_entry_by_id root 0x3a5600 dir 0x3a5b50 id 0009 not
found
0028:Ret  KERNEL32.FindResourceW() retval=003a60b8 ret=7edb4699
0028:Call KERNEL32.LoadResource(00340001,003a60b8) ret=7edb46bb
0028:trace:resource:LoadResource 0x340001 0x3a60b8
0028:Ret  KERNEL32.LoadResource() retval=003be188 ret=7edb46bb
0028:Call KERNEL32.LockResource(003be188) ret=7edb46d6
0028:Ret  KERNEL32.LockResource() retval=003be188 ret=7edb46d6
0028:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf74c88e6
ip=f74c88e6 tid=0028
0028:trace:seh:raise_exception  info[0]=00000000
0028:trace:seh:raise_exception  info[1]=003fb000
0028:trace:seh:raise_exception  eax=003faf90 ebx=f753a000 ecx=000031a0
edx=00189fa0 esi=00000800 edi=00003800
0028:trace:seh:raise_exception  ebp=0033d898 esp=0033d850 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0028:trace:seh:call_stack_handlers calling handler at 0x7bc9dbe3 code=c0000005
flags=0 
...
Unhandled exception: page fault on read access to 0x003fb000 in 32-bit code
(0xf74c88e6).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:f74c88e6 ESP:0033d850 EBP:0033d898 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:003faf90 EBX:f753a000 ECX:000031a0 EDX:00189fa0
 ESI:00000800 EDI:00003800
...
Backtrace:
=>0 0xf74c88e6 __memcpy_ssse3_rep+0x286() in libc.so.6 (0x0033d898)
  1 0x7edb485a populate_module_icons+0x21e(hModule=0x340001,
grpIconDir=0x3fa5dc, iconDirEntries=0x18d1c8, icons="(", iconOffset=0x33d8dc)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:624]
in winemenubuilder (0x0033d898)
  2 0x7edb4b27 add_module_icons_to_stream+0x279(iconData16=(nil),
hModule=0x340001, grpIconDir=0x3fa5dc)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:675]
in winemenubuilder (0x0033d998)
  3 0x7edb59f6 open_module_icon+0x29b(szFileName="C:\Program Files\Inno Setup
5\Compil32.exe", nIndex=0, ppStream=0x33da98)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:911]
in winemenubuilder (0x0033da28)
  4 0x7edb6135 open_icon+0x2a(filename="C:\Program Files\Inno Setup
5\Compil32.exe", index=0, bWait=0x1, ppStream=0x33da98)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1055]
in winemenubuilder (0x0033da68)
  5 0x7edb696b extract_icon+0xb0(icoPathW="C:\Program Files\Inno Setup
5\Compil32.exe", index=0, destFilename=0x0(nil), bWait=0x1)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1367]
in winemenubuilder (0x0033dac8)
  6 0x7edbbc7e InvokeShellLinker+0x6f8(sl=0x136dfc, link="C:\users\Public\Start
Menu\Programs\Inno Setup 5\Inno Setup Compiler.lnk", bWait=0x1)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:2865]
in winemenubuilder (0x0033fa48)
  7 0x7edbd6fc Process_Link+0x2d3(linkname="C:\users\Public\Start
Menu\Programs\Inno Setup 5\Inno Setup Compiler.lnk", bWait=0x1)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:3250]
in winemenubuilder (0x0033fce8)
  8 0x7edbef43 wWinMain+0x26d(hInstance=<couldn't compute location>,
prev=<couldn't compute location>, cmdline=<couldn't compute location>,
show=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:3703]
in winemenubuilder (0x0033fd68)
  9 0x7edbf67a wmain+0x109(argc=0x3, argv=0x115258)
[/home/focht/projects/wine/wine.repo/src/dlls/winecrt0/exe_wmain.c:51] in
winemenubuilder (0x0033fde8)
  10 0x7edbf555 __wine_spec_exe_wentry+0x74(peb=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/winecrt0/exe_wentry.c:36] in
winemenubuilder (0x0033fe18)
  11 0x7b86404c call_process_entry+0xb() in kernel32 (0x0033fe38) 
...
0xf74c88e6 __memcpy_ssse3_rep+0x286 in libc.so.6:     
Modules:
Module    Address            Debug info    Name (52 modules)
ELF    7b800000-7ba62000    Dwarf           kernel32<elf>
  \-PE    7b810000-7ba62000    \               kernel32 
...
ELF    7eda0000-7edcb000    Dwarf           winemenubuilder<elf>
  \-PE    7edb0000-7edcb000    \               winemenubuilder
...
Threads:
process  tid      prio (all id:s are in hex) 
...
00000027 (D) C:\windows\system32\winemenubuilder.exe
    00000028    0 <==
--- snip ---

Hex dump of the raw data from first icon group:

(sorry for the DWORD dump, but you get the idea)

--- snip ---
003FA5DC  00010000
003FA5E0  10100008
003FA5E4  00010000
003FA5E8  05680008 ; group entry #1 size = 0x568 == icon res size (ok)
003FA5EC  00010000
003FA5F0  00002020
003FA5F4  00080001
003FA5F8  000008A8 ; group entry #2 size = 0x8A8 == icon res size (ok)
003FA5FC  30300002
003FA600  00010000
003FA604  0EA80008 ; group entry #3 size = 0xEA8 == icon res size (ok)
003FA608  00030000
003FA60C  00001010
003FA610  00200001
003FA614  00000468 ; group entry #4 size = 0x468 == icon res size (ok)
003FA618  20200004
003FA61C  00010000
003FA620  10A80020 ; group entry #5 size = 0x10A8 == icon res size (ok)
003FA624  00050000
003FA628  00003030
003FA62C  00200001
003FA630  000025A8 ; group entry #6 size = 0x25A8 == icon res size (ok)
003FA634  00800006
003FA638  00010000
003FA63C  08280020 ; group entry #7 size = 0x10828 == icon res size (ok)
003FA640  00070001
003FA644  00000000
003FA648  00200001
003FA64C  00040028 ; group entry #8 size = 0x40028 != icon res size = 0x90E4
(!)
003FA650  00000008
--- snip ---

Icon #8 is PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced.

Newer Windows versions, starting with Windows Vista+ support these, for example
in large thumbnail view.

Some information here:
http://www.axialis.com/tutorials/tutorial-vistaicons.html

The large size value from icon group entry #8 triggers an out-of-bounds
exception on resource section (unmapped area) -> 'src' of icon data 'memcpy'.

Actually, the number 0x40028 could be a magic or hint for this new stuff.

I tested other installers with my patch/hacks that dumped a bit more
information about resource processing, especially inconsistencies.

Whenever the executable resource section contained 256x256 icons, the magic
number was there but the actual icon resource (PNG) had different sizes.

'winemenubuilder' needs to cope with these large icons and their peculiarities
(at least avoid the crash).

--- snip ---
trace:menubuilder:extract_icon path=[L"C:\\Program Files\\Inno Setup
5\\Compil32.exe"] index=0 destFilename=[(null)]
trace:menubuilder:platform_write_icon [0]: 16 x 16 @ 8
trace:menubuilder:platform_write_icon Selected: 3
trace:menubuilder:platform_write_icon [1]: 32 x 32 @ 8
trace:menubuilder:platform_write_icon Selected: 4
trace:menubuilder:platform_write_icon [2]: 48 x 48 @ 8
trace:menubuilder:platform_write_icon Selected: 5
trace:menubuilder:platform_write_icon [3]: 16 x 16 @ 32
trace:menubuilder:platform_write_icon [4]: 32 x 32 @ 32
trace:menubuilder:platform_write_icon [5]: 48 x 48 @ 32
trace:menubuilder:platform_write_icon [6]: 128 x 0 @ 32
trace:menubuilder:platform_write_icon Selected: 6
trace:menubuilder:platform_write_icon [7]: 0 x 0 @ 32
trace:menubuilder:platform_write_icon Selected: 7
--- snip ---

$ sha1sum isetup-5.5.4.exe 
6ddc6db3a85882711470e0eeba861249b64edaf8  isetup-5.5.4.exe

$ du -sh isetup-5.5.4.exe 
1.9M    isetup-5.5.4.exe

$ wine --version
wine-1.7.21-61-gf9f3b21

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list