[Bug 37005] Serif WebPlus Starter Edition crashes on startup (IPropertyBag2::GetPropertyInfo returns more properties than the caller requested, leading to stack smashing)
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Jul 31 16:07:55 CDT 2014
https://bugs.winehq.org/show_bug.cgi?id=37005
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
Summary|Serif WebPlus Starter |Serif WebPlus Starter
|Edition crashes on startup |Edition crashes on startup
|(wincodecs:BitmapEncoderInf |(IPropertyBag2::GetProperty
|o_GetFileExtensions) |Info returns more
| |properties than the caller
| |requested, leading to stack
| |smashing)
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
The problem is not related to any stubs.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Serif/WebPlus/X5/Program
$ WINEDEBUG=+tid,+seh,+relay,+wincodecs wine ./WebPlus.exe >>log.txt 2>&1
...
002c:Call PE DLL (proc=0x222c7d7f,module=0x22200000
L"SerifImgU.dll",reason=PROCESS_ATTACH,res=0x1)
...
002c:trace:wincodecs:BitmapEncoderInfo_CreateInstance (0x19e690,0x33e918)
...
002c:trace:wincodecs:TiffEncoder_CreateInstance
({00000103-a8f2-4877-ba0a-fd2b6645fb94},0x33e918)
...
002c:Ret ole32.CoCreateInstance() retval=00000000 ret=7ce95c5a
...
002c:trace:wincodecs:TiffEncoder_Initialize (0x3b5a0f0,0x1ff7f48,2)
...
002c:trace:wincodecs:TiffEncoder_CreateNewFrame (0x3b5a0f0,0x33e91c,0x33e920)
...
002c:trace:wincodecs:PropertyBag_Write (0x1a1a10,1,0x33e840,0x33e880)
...
002c:trace:wincodecs:BitmapEncoderInfo_GetPixelFormats
(0x19e690,0,(nil),0x33e924)
...
002c:trace:wincodecs:BitmapEncoderInfo_GetPixelFormats
(0x19e690,9,0x1ff8590,0x33e924)
...
002c:trace:wincodecs:PropertyBag_CountProperties (0x1a1a10,0x33e938)
002c:trace:wincodecs:PropertyBag_GetPropertyInfo
(0x1a1a10,0,1,0x33e958,0x33e954)
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"InterlaceOption",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=fffffff5 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"ImageQuality",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=fffffff5 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"UseCodecOptions",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000001 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"TiffCompressionMethod",03b591f0
L"TiffCompressionMethod") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000000 ret=78a679c1
...
002c:trace:wincodecs:PropertyBag_GetPropertyInfo
(0x1a1a10,1,1,0x33e958,0x33e954)
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"InterlaceOption",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000006 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"ImageQuality",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000006 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"UseCodecOptions",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000012 ret=78a679c1
...
002c:Call msvcr90._wcsicmp(01ff85a0 L"TiffCompressionMethod",03b59258
L"CompressionQuality") ret=78a679c1
002c:Ret msvcr90._wcsicmp() retval=00000011 ret=78a679c1
...
002c:trace:wincodecs:TiffFrameEncode_Release (0x3b591b0) refcount=0
002c:trace:wincodecs:TiffEncoder_Release (0x3b5a0f0) refcount=1
...
002c:trace:wincodecs:TiffEncoder_Release (0x3b5a0f0) refcount=0
...
002c:trace:wincodecs:PropertyBag_Release (0x1a1a10) refcount=0
...
002c:Call KERNEL32.IsDebuggerPresent() ret=222c7f93
002c:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=222c7f93
002c:Call KERNEL32.RaiseException(80000100,00000001,00000002,0033e5b8)
ret=7e790d71
002c:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b83ae8f
ip=7b83ae8f tid=002c
002c:trace:seh:raise_exception info[0]=7e7911a0
002c:trace:seh:raise_exception info[1]=7e791700
wine: Call from 0x7b83ae8f to unimplemented function
msvcr90.dll._crt_debugger_hook, aborting
002c:err:seh:raise_exception Exception frame is not in stack limits => unable
to dispatch exception.
--- snip ---
What's not visible through tracing: the debugger hook is invoked because a
stack smashing is detected (canary/cookie destroyed).
--- snip ---
2223DBB5 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
2223DBB9 8B08 MOV ECX,DWORD PTR DS:[EAX]
2223DBBB 8D5424 50 LEA EDX,DWORD PTR SS:[ESP+50]
2223DBBF 52 PUSH EDX
2223DBC0 8D5424 58 LEA EDX,DWORD PTR SS:[ESP+58]
2223DBC4 52 PUSH EDX
2223DBC5 6A 01 PUSH 1
2223DBC7 57 PUSH EDI
2223DBC8 50 PUSH EAX
2223DBC9 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]
2223DBCC FFD0 CALL EAX ; PropertyBag_GetPropertyInfo
--- snip ---
Argument stack before the call:
--- snip ---
0033E8F0 03B30528 ; IPropertyBag2 *iface
0033E8F4 00000000 ; ULONG iProperty
0033E8F8 00000001 ; ULONG cProperties
0033E8FC 0033E958 ; PROPBAG2 *pPropBag
0033E900 0033E954 ; ULONG *pcProperties
...
0033E954 78A336C3 ; cProperties (out)
0033E958 6FDDC324 ; PROPBAG2 PropBag (out)
0033E95C 4BFE4E03
0033E960 773D85B1
0033E964 1CC98D76
0033E968 01FFD730
0033E96C 78C3DF60
0033E970 0033E988
0033E974 78A33793
0033E978 78A3379D
0033E97C A855F990 ; stack cookie
0033E980 0033FA40
--- snip ---
After the call:
--- snip ---
...
0033E954 00000002 ; cProperties (out)
0033E958 00000001 ; PROPBAG2 PropBag (out)
0033E95C 00000011
0033E960 00000001
0033E964 03B360B0 ; UNICODE "TiffCompressionMethod"
0033E968 00000000
0033E96C 00000000
0033E970 00000000
0033E974 00000000
0033E978 00000001
0033E97C 00000004 ; destroyed stack cookie
0033E980 00000002
--- snip ---
Source:
http://source.winehq.org/git/wine.git/blob/2ee3e8073fe5b5adc2b48f382eec50c21550fdbb:/dlls/windowscodecs/propertybag.c#l237
--- snip ---
237 static HRESULT WINAPI PropertyBag_GetPropertyInfo(IPropertyBag2 *iface,
ULONG iProperty,
238 ULONG cProperties, PROPBAG2 *pPropBag, ULONG *pcProperties)
239 {
240 HRESULT res = S_OK;
241 ULONG i;
242 PropertyBag *This = impl_from_IPropertyBag2(iface);
243
244 TRACE("(%p,%u,%u,%p,%p)\n", iface, iProperty, cProperties, pPropBag,
pcProperties);
245
246 if (iProperty >= This->prop_count && iProperty > 0)
247 return WINCODEC_ERR_VALUEOUTOFRANGE;
248 if (iProperty+cProperties > This->prop_count )
249 return WINCODEC_ERR_VALUEOUTOFRANGE;
250
251 *pcProperties = max(cProperties, This->prop_count-iProperty);
252
253 for (i=0; i < *pcProperties; i++)
254 {
255 res = copy_propbag2(pPropBag+i, This->properties+iProperty+i,
TRUE);
256 if (FAILED(res))
257 {
258 do {
259 CoTaskMemFree( pPropBag[--i].pstrName );
260 } while (i);
261 break;
262 }
263 }
264
265 return res;
266 }
--- snip ---
Line 251 is obviously wrong. You can't return/fill more properties than the
caller requested hence the stack smasher.
$ wine --version
wine-1.7.23-33-gc654b7b
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list