[Bug 37005] Serif WebPlus Starter Edition crashes on startup (IPropertyBag2::GetPropertyInfo returns more properties than the caller requested, leading to stack smashing)

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Jul 31 16:07:55 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=37005

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|Serif WebPlus Starter       |Serif WebPlus Starter
                   |Edition crashes on startup  |Edition crashes on startup
                   |(wincodecs:BitmapEncoderInf |(IPropertyBag2::GetProperty
                   |o_GetFileExtensions)        |Info returns more
                   |                            |properties than the caller
                   |                            |requested, leading to stack
                   |                            |smashing)

--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

The problem is not related to any stubs.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Serif/WebPlus/X5/Program

$ WINEDEBUG=+tid,+seh,+relay,+wincodecs wine ./WebPlus.exe >>log.txt 2>&1
...
002c:Call PE DLL (proc=0x222c7d7f,module=0x22200000
L"SerifImgU.dll",reason=PROCESS_ATTACH,res=0x1) 
...
002c:trace:wincodecs:BitmapEncoderInfo_CreateInstance (0x19e690,0x33e918) 
...
002c:trace:wincodecs:TiffEncoder_CreateInstance
({00000103-a8f2-4877-ba0a-fd2b6645fb94},0x33e918)
...
002c:Ret  ole32.CoCreateInstance() retval=00000000 ret=7ce95c5a
...
002c:trace:wincodecs:TiffEncoder_Initialize (0x3b5a0f0,0x1ff7f48,2)
...
002c:trace:wincodecs:TiffEncoder_CreateNewFrame (0x3b5a0f0,0x33e91c,0x33e920)
...
002c:trace:wincodecs:PropertyBag_Write (0x1a1a10,1,0x33e840,0x33e880)
...
002c:trace:wincodecs:BitmapEncoderInfo_GetPixelFormats
(0x19e690,0,(nil),0x33e924) 
...
002c:trace:wincodecs:BitmapEncoderInfo_GetPixelFormats
(0x19e690,9,0x1ff8590,0x33e924) 
...
002c:trace:wincodecs:PropertyBag_CountProperties (0x1a1a10,0x33e938)
002c:trace:wincodecs:PropertyBag_GetPropertyInfo
(0x1a1a10,0,1,0x33e958,0x33e954) 
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"InterlaceOption",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=fffffff5 ret=78a679c1 
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"ImageQuality",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=fffffff5 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"UseCodecOptions",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000001 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"TiffCompressionMethod",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000000 ret=78a679c1
...
002c:trace:wincodecs:PropertyBag_GetPropertyInfo
(0x1a1a10,1,1,0x33e958,0x33e954) 
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"InterlaceOption",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000006 ret=78a679c1 
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"ImageQuality",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000006 ret=78a679c1 
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"UseCodecOptions",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000012 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"TiffCompressionMethod",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret  msvcr90._wcsicmp() retval=00000011 ret=78a679c1
...
002c:trace:wincodecs:TiffFrameEncode_Release (0x3b591b0) refcount=0
002c:trace:wincodecs:TiffEncoder_Release (0x3b5a0f0) refcount=1
...
002c:trace:wincodecs:TiffEncoder_Release (0x3b5a0f0) refcount=0
...
002c:trace:wincodecs:PropertyBag_Release (0x1a1a10) refcount=0
...
002c:Call KERNEL32.IsDebuggerPresent() ret=222c7f93
002c:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=222c7f93
002c:Call KERNEL32.RaiseException(80000100,00000001,00000002,0033e5b8)
ret=7e790d71
002c:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b83ae8f
ip=7b83ae8f tid=002c
002c:trace:seh:raise_exception  info[0]=7e7911a0
002c:trace:seh:raise_exception  info[1]=7e791700
wine: Call from 0x7b83ae8f to unimplemented function
msvcr90.dll._crt_debugger_hook, aborting
002c:err:seh:raise_exception Exception frame is not in stack limits => unable
to dispatch exception.
--- snip ---

What's not visible through tracing: the debugger hook is invoked because a
stack smashing is detected (canary/cookie destroyed).

--- snip ---
2223DBB5   8B4424 1C        MOV EAX,DWORD PTR SS:[ESP+1C]
2223DBB9   8B08             MOV ECX,DWORD PTR DS:[EAX]
2223DBBB   8D5424 50        LEA EDX,DWORD PTR SS:[ESP+50]
2223DBBF   52               PUSH EDX
2223DBC0   8D5424 58        LEA EDX,DWORD PTR SS:[ESP+58]
2223DBC4   52               PUSH EDX
2223DBC5   6A 01            PUSH 1
2223DBC7   57               PUSH EDI
2223DBC8   50               PUSH EAX
2223DBC9   8B41 18          MOV EAX,DWORD PTR DS:[ECX+18]
2223DBCC   FFD0             CALL EAX          ; PropertyBag_GetPropertyInfo
--- snip ---

Argument stack before the call:

--- snip ---
0033E8F0   03B30528 ; IPropertyBag2 *iface
0033E8F4   00000000 ; ULONG iProperty
0033E8F8   00000001 ; ULONG cProperties
0033E8FC   0033E958 ; PROPBAG2 *pPropBag
0033E900   0033E954 ; ULONG *pcProperties
...
0033E954   78A336C3 ; cProperties (out)
0033E958   6FDDC324 ; PROPBAG2 PropBag (out)
0033E95C   4BFE4E03
0033E960   773D85B1
0033E964   1CC98D76
0033E968   01FFD730
0033E96C   78C3DF60
0033E970   0033E988
0033E974   78A33793
0033E978   78A3379D
0033E97C   A855F990 ; stack cookie
0033E980   0033FA40
--- snip ---

After the call:

--- snip ---
...
0033E954   00000002 ; cProperties (out)
0033E958   00000001 ; PROPBAG2 PropBag (out) 
0033E95C   00000011
0033E960   00000001
0033E964   03B360B0 ; UNICODE "TiffCompressionMethod"
0033E968   00000000
0033E96C   00000000
0033E970   00000000
0033E974   00000000
0033E978   00000001
0033E97C   00000004 ; destroyed stack cookie
0033E980   00000002 
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/2ee3e8073fe5b5adc2b48f382eec50c21550fdbb:/dlls/windowscodecs/propertybag.c#l237

--- snip ---
237 static HRESULT WINAPI PropertyBag_GetPropertyInfo(IPropertyBag2 *iface,
ULONG iProperty,
238     ULONG cProperties, PROPBAG2 *pPropBag, ULONG *pcProperties)
239 {
240     HRESULT res = S_OK;
241     ULONG i;
242     PropertyBag *This = impl_from_IPropertyBag2(iface);
243
244     TRACE("(%p,%u,%u,%p,%p)\n", iface, iProperty, cProperties, pPropBag,
pcProperties);
245
246     if (iProperty >= This->prop_count && iProperty > 0)
247         return WINCODEC_ERR_VALUEOUTOFRANGE;
248     if (iProperty+cProperties > This->prop_count )
249         return WINCODEC_ERR_VALUEOUTOFRANGE;
250
251     *pcProperties = max(cProperties, This->prop_count-iProperty);
252
253     for (i=0; i < *pcProperties; i++)
254     {
255         res = copy_propbag2(pPropBag+i, This->properties+iProperty+i,
TRUE);
256         if (FAILED(res))
257         {
258             do {
259                 CoTaskMemFree( pPropBag[--i].pstrName );
260             } while (i);
261             break;
262         }
263     }
264
265     return res;
266 }
--- snip ---

Line 251 is obviously wrong. You can't return/fill more properties than the
caller requested hence the stack smasher.

$ wine --version
wine-1.7.23-33-gc654b7b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list