[Bug 35877] ProShow Gold 5.0.3310 crashes on startup (TLS slot index allocation must start at non-zero indexes)
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Mar 27 11:17:02 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=35877
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download
Status|UNCONFIRMED |RESOLVED
URL| |http://download.cnet.com/Pr
| |oShow-Gold/3000-12511_4-102
| |80465.html
CC| |focht at gmx.net
Component|-unknown |ntdll
Resolution|--- |DUPLICATE
Summary|Problems with Proshowgold |ProShow Gold 5.0.3310
|5. |crashes on startup (TLS
| |slot index allocation must
| |start at non-zero indexes)
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Looks like another broken app with TLS slot index 0 access.
Windows implements a workaround for all broken apps, making TLS slot index 0
unavailable for allocation through TLS API hence the crash is prevented.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold
...
$ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1
...
0029:Starting process L"C:\\Program Files\\Photodex\\ProShow Gold\\pxplay.exe"
(entryproc=0x9c1d60)
...
0029:Call KERNEL32.TlsAlloc() ret=009c3441
0029:Ret KERNEL32.TlsAlloc() retval=00000000 ret=009c3441
0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d
0029:Ret ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d
...
0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17
0029:Ret KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17
0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a
0029:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a
0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a ip=0049680a
tid=0029
0029:trace:seh:raise_exception info[0]=00000000
0029:trace:seh:raise_exception info[1]=01470258
0029:trace:seh:raise_exception eax=0129b6c0 ebx=01460138 ecx=00bb9538
edx=00bb9538 esi=00000000 edi=00000000
0029:trace:seh:raise_exception ebp=00000000 esp=0033790c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005
flags=0
0029:Call KERNEL32.GetLastError() ret=009c34a4
0029:Ret KERNEL32.GetLastError() retval=00000000 ret=009c34a4
0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd
wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a
(thread 0029), starting debugger...
0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92"
0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd
0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1
0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03 code=c0000005
flags=0
0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d
0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d
0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1
Unhandled exception: page fault on read access to 0x01470258 in 32-bit code
(0x0049680a).
...
Backtrace:
=>0 0x0049680a in pxplay (+0x9680a) (0x00000000)
0x0049680a: movl 0x10120(%ebx),%esi
--- snip ---
The app code that allocates and sets the first slot:
--- snip ---
009C3435 PUSH ESI
009C3436 CALL 009C4D94
009C343B CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>]
009C3441 CMP EAX,-1
009C3444 MOV DWORD PTR DS:[11A4EC4],EAX ; index
009C3449 JE SHORT 009C3485
009C344B PUSH 74
009C344D PUSH 1
009C344F CALL 009C32F8
009C3454 MOV ESI,EAX
009C3456 POP ECX
009C3457 TEST ESI,ESI
009C3459 POP ECX
009C345A JZ SHORT 009C3485
009C345C PUSH ESI ; value, buffer ptr
009C345D PUSH DWORD PTR DS:[11A4EC4] ; index
009C3463 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>]
009C3469 TEST EAX,EAX
009C346B JZ SHORT 009C3485
...
--- snip ---
Unlike Windows, Wine happily gives slot index 0 to the app which writes a
buffer pointer using TlsSetValue().
The buffer (0x80 bytes) was allocated here:
--- snip ---
0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4
0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4
--- snip ---
Offending app code:
--- snip ---
004967B0 MOV EAX,8150
004967B5 CALL 009BF760
004967BA MOV EAX,DWORD PTR DS:[1249A30]
004967BF PUSH EBX
004967C0 PUSH EBP
004967C1 PUSH ESI
004967C2 PUSH EDI
004967C3 PUSH EAX ; index => [0x1249A30] = 0
004967C4 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>]
004967CA MOV EBX,EAX
004967CC XOR EBP,EBP
004967CE CMP EBX,EBP
004967D0 JE SHORT 004967EB
...
0049680A MOV ESI,DWORD PTR DS:[EBX+10120] ; *boom*
00496810 JMP SHORT pxplay.00496817
--- snip ---
The buggy app calls TlsGetValue(0) which returns the buffer pointer set by
earlier code, as shown in snippet before.
That code path at 0x49680A should never be reached if the app gets NULL for
slot index 0 - which would be the case if the first slot is reserved by system.
The app code accesses offset 0x10120 which causes the fault (buffer was
allocated with 0x80 size).
$ sha1sum psgold_50_3310.exe
10aaacabded20869391db41e296fd97cb833ffa1 psgold_50_3310.exe
$ du -sh psgold_50_3310.exe
32M psgold_50_3310.exe
$ wine --version
wine-1.7.15-87-g5b55563
Regards
*** This bug has been marked as a duplicate of bug 20466 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list