[Bug 37563] Skype 6.x crashes trying to make an audio call (DestroyIRichEditOle must take reference count into account)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Nov 16 12:26:50 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=37563

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
          Component|-unknown                    |richedit
            Summary|Skype crashes trying to     |Skype 6.x crashes trying to
                   |make an audio call          |make an audio call
                   |                            |(DestroyIRichEditOle must
                   |                            |take reference count into
                   |                            |account)
     Ever confirmed|0                           |1

--- Comment #9 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

--- quote ---
I cannot debug Skype further because it crashes immediately when being run
under winedbg.
--- quote ---

That's expected. Skype employs some basic anti-debug measures which can be
worked around easily though :)

--- snip ---
0023:Starting process L"C:\\Program Files\\Skype\\Phone\\Skype.exe"
(entryproc=0x5bb288)
...
21925.104:0023:Call KERNEL32.CreateFileW(00335ebc
L"\\\\.\\NTICE",00000000,00000000,00000000,00000003,00000000,00000000)
ret=005a5658
21925.104:0023:Ret  KERNEL32.CreateFileW() retval=ffffffff ret=005a5658
21925.104:0023:Call KERNEL32.CreateFileW(00335ebc
L"\\\\.\\Siwvid",00000000,00000000,00000000,00000003,00000000,00000000)
ret=005a5695
21925.104:0023:Ret  KERNEL32.CreateFileW() retval=ffffffff ret=005a5695
...
21926.429:0023:Call KERNEL32.IsDebuggerPresent() ret=00d3b719
21926.429:0023:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=00d3b719 
...
21981.861:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b
21981.861:002d:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b 
...
21981.880:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b
21981.880:002d:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b
...
21982.793:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b
21982.793:002d:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b 
...
21983.129:002f:Call KERNEL32.IsDebuggerPresent() ret=0061648b
21983.129:002f:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b 
...
21983.133:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b
21983.133:002d:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b 
...
<attach debugger>
...
22043.920:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b
22043.920:002d:Ret  KERNEL32.IsDebuggerPresent() retval=00000001 ret=0061648b
<detected>
22043.920:002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x204
ip=00000204 tid=002d
22043.920:002d:trace:seh:raise_exception  info[0]=00000008
22043.920:002d:trace:seh:raise_exception  info[1]=00000204
22043.920:002d:trace:seh:raise_exception  eax=00000000 ebx=00000000
ecx=00000000 edx=00000204 esi=0600e4d0 edi=0600e4d0
22043.920:002d:trace:seh:raise_exception  ebp=00000025 esp=0600e4d8 cs=0023
ds=002b es=002b fs=0063 gs=006b flags=00010246
22043.920:002d:trace:seh:call_stack_handlers calling handler at 0x7bc9e6e7
code=c0000005 flags=0
22043.921:002d:Call KERNEL32.UnhandledExceptionFilter(0600dfa4) ret=7bc9e721
22043.921:002d:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000
ret=7bc9e721
22043.921:002d:trace:seh:call_stack_handlers handler at 0x7bc9e6e7 returned 1 
--- snip ---

Multiple threads have a check for debuggers at code paths that are called
periodical.

Anyway, now to the real issue here...

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Skype/Phone

$ WINEDEBUG=+tid,+seh,+relay,+richedit wine ./Skype.exe /legacylogin >>log.txt
2>&1
...
0023:Call KERNEL32.LoadLibraryW(004b6a10 L"RICHED20.DLL") ret=004b69b9
0023:Call PE DLL (proc=0x7a4b2ccc,module=0x7a470000
L"riched20.dll",reason=PROCESS_ATTACH,res=(nil)) 
...
0023:Ret  KERNEL32.LoadLibraryW() retval=7a470000 ret=004b69b9
...
0023:Call KERNEL32.LoadLibraryW(017eb210 L"MSFTEDIT.DLL") ret=017eb1ff
0023:Call PE DLL (proc=0x7aa4d870,module=0x7aa40000
L"msftedit.dll",reason=PROCESS_ATTACH,res=(nil))
...
0023:Ret  KERNEL32.LoadLibraryW() retval=7aa40000 ret=017eb1ff
0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ead8)
ret=004f4ed2
0023:Ret  user32.GetClassInfoW() retval=0000c098 ret=004f4ed2
0023:Call user32.GetClassInfoW(00400000,0033eb00 L"TChatRichEdit",0033ea8c)
ret=004f5172
0023:Ret  user32.GetClassInfoW() retval=00000000 ret=004f5172
0023:Call user32.RegisterClassW(0033ead8) ret=004f51bc
0023:Ret  user32.RegisterClassW() retval=0000c09b ret=004f51bc
0023:Call user32.CreateWindowExW(00000000,0033eb00 L"TChatRichEdit",0048a85c
L"",44210044,0000000c,0000000a,00000134,00000025,00010150,00000000,00400000,00000000)
ret=0040eb98 
...
0023:trace:richedit:RichEditWndProc_common WM_NCCREATE: hWnd 0x10154 style
0x44210044 
...
0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 2
0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 043c
(EM_GETOLEINTERFACE) 0 71454a4, unicode 1 -> 1
0023:Ret  window proc 0x7a48e304
(hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001
0023:Ret  user32.CallWindowProcW() retval=00000001 ret=004f663d
0023:Ret  window proc 0x380c61
(hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001
0023:Ret  user32.SendMessageW() retval=00000001 ret=017ed432
0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 3
0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4
0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0
0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3
0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=2 
...
0023:Call user32.DestroyWindow(001d0148) ret=004f558d 
...
0023:Call user32.CallWindowProcW(7a48e304,00010154,00000002,00000000,00000000)
ret=004f663d
0023:Call window proc 0x7a48e304
(hwnd=0x10154,msg=WM_DESTROY,wp=00000000,lp=00000000)
0023:trace:richedit:RichEditWndProc_common enter hwnd 0x10154 msg 0002 () 0 0,
unicode 1
0023:Call user32.GetWindowLongW(00010154,00000000) ret=7a48dd66
0023:Ret  user32.GetWindowLongW() retval=08d928e8 ret=7a48dd66
0023:trace:richedit:ME_EmptyUndoStack Emptying undo stack 
...
0023:trace:richedit:ME_ReleaseStyle all style references freed (good!) 
...
0023:trace:richedit:DestroyIRichEditOle Destroying 0x8d934e0 
...
0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 0002 () 0 0,
unicode 1 -> 0 
...
0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4
0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 5
0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0
0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=4
0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3 
...
0023:Call user32.GetClassInfoW(00400000,00489bd0 L"EDIT",0033ee64) ret=004f4ed2
0023:Ret  user32.GetClassInfoW() retval=0000c012 ret=004f4ed2
0023:Call user32.GetClassInfoW(00400000,004b6a2c L"RICHEDIT20W",0033ee64)
ret=004f4ed2
0023:Ret  user32.GetClassInfoW() retval=0000c097 ret=004f4ed2
0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ee64)
ret=004f4ed2
0023:Ret  user32.GetClassInfoW() retval=0000c098 ret=004f4ed2
0023:Call user32.GetClassInfoW(00400000,0033ee8c L"TChatRichEdit",0033ee18)
ret=004f5172
0023:Ret  user32.GetClassInfoW() retval=0000c09b ret=004f5172
0023:Call user32.CreateWindowExW(00000000,0033ee8c L"TChatRichEdit",0048a85c
L"",44210044,0000000c,0000000a,0000027e,00000025,0002014c,00000000,00400000,00000000)
ret=0040eb98 
...
0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=636
0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=37
...
0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=609
0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=27 
...
0023:trace:richedit:RichEditWndProc_common exit hwnd 0x2014a msg 00b3
(EM_SETRECT) 0 33cf38, unicode 1 -> 0
0023:Ret  window proc 0x7a48e304
(hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000
0023:Ret  user32.CallWindowProcW() retval=00000000 ret=004f663d
0023:Ret  window proc 0x380c61
(hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000
0023:Ret  user32.SendMessageW() retval=00000000 ret=019b7d07
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x8d90118 ip=08d90118
tid=0023
0023:trace:seh:raise_exception  info[0]=00000008
0023:trace:seh:raise_exception  info[1]=08d90118
0023:trace:seh:raise_exception  eax=08d90128 ebx=07145180 ecx=00000000
edx=08d934e4 esi=0033cf18 edi=00000001
0023:trace:seh:raise_exception  ebp=0033cf68 esp=0033cee4 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0023:trace:seh:call_stack_handlers calling handler at 0x17ee6df code=c0000005
flags=0
0023:trace:seh:call_stack_handlers handler at 0x17ee6df returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x4f5bf3 code=c0000005
flags=0
0023:trace:seh:call_stack_handlers handler at 0x4f5bf3 returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x4f5c04 code=c0000005
flags=0 
...
<double fault due to exception handling>
--- snip ---

The app creates and destroys RichEdit control(s) while holding explicit
references via 'EM_GETOLEINTERFACE' and 'riched20.IRichEditOle_fnAddRef' to the
COM object in between.

--- snip ---
017ED41D   PUSH EAX
017ED41E   PUSH 0
017ED420   PUSH 43C
017ED425   MOV EAX,EBX
017ED427   CALL Skype.004F9304
017ED42C   PUSH EAX
017ED42D   CALL Skype.0040E968    ; JMP to OFFSET user32.SendMessageW
017ED432   CMP DWORD PTR DS:[EBX+324],0
017ED439   JNZ SHORT Skype.017ED447
017ED43B   MOV EDX,Skype.017ED464 ; "EM_GETOLEINTERFACE for RichEditOle failed"
017ED440   MOV EAX,EBX
017ED442   CALL Skype.00522908
017ED447   MOV EAX,ESI
017ED449   MOV EDX,DWORD PTR DS:[EBX+324]
017ED44F   CALL Skype.0040B4FC
017ED454   POP ESI
017ED455   POP EBX
017ED456   RETN
...
0040B4FC   TEST EDX,EDX
0040B4FE   JE SHORT Skype.0040B519
0040B500   PUSH EDX
0040B501   PUSH EAX
0040B502   MOV EAX,DWORD PTR DS:[EDX]
0040B504   PUSH EDX
0040B505   CALL DWORD PTR DS:[EAX+4]    ; riched20.IRichEditOle_fnAddRef
0040B508   POP EAX
0040B509   MOV ECX,DWORD PTR DS:[EAX]
0040B50B   POP DWORD PTR DS:[EAX]
0040B50D   TEST ECX,ECX
0040B50F   JNZ SHORT Skype.0040B512
0040B511   RETN
...
--- snip ---

Wine frees everything in 'DestroyIRichEditOle', regardless of (external)
reference count.

--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7a0f9080 DestroyIRichEditOle+0x20(iface=0x179134e4)
[/home/focht/projects/wine/wine.repo/src/dlls/riched20/richole.c:2373] in
riched20 (0x0033e918)

  1 0x7a0e08a5 ME_DestroyEditor+0x131(editor=0x179128e8)
[/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:2892] in
riched20 (0x0033e958)

  2 0x7a0e4841 ME_HandleMessage+0x3a60(editor=0x179128e8, msg=0x2, wParam=0,
lParam=0, unicode=0x1, phresult=0x33ef50)
[/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4111] in
riched20 (0x0033eeb8)

  3 0x7a0e6249 RichEditWndProc_common+0x58c(hWnd=0x10136, msg=0x2, wParam=0,
lParam=0, unicode=0x1)
[/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4679] in
riched20 (0x0033ef98)

  4 0x7a0e6354 RichEditWndProcW+0x4f(hWnd=0x10136, msg=0x2, wParam=0, lParam=0)
[/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4699] in
riched20 (0x0033efd8)

  5 0x7ea22f9a WINPROC_wrapper+0x19() in user32 (0x0033f008)

  6 0x7ea2310f call_window_proc+0xcc(hwnd=0x10136, msg=0x2, wp=0, lp=0,
result=0x33f078, arg=0x7a0e6304)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:245] in user32
(0x0033f048)

  7 0x7ea25563 CallWindowProcW+0x69(func=0x7a0e6304, hwnd=0x10136, msg=0x2,
wParam=0, lParam=0)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:982] in user32
(0x0033f08c)

  8 0x004f663d in skype (+0xf663c) (0x0033f220)
  9 0x004f653d in skype (+0xf653c) (0x0033f26c)
  10 0x017eea5d in skype (+0x13eea5c) (0x0033f2a0)
  11 0x00450312 in skype (+0x50311) (0x0033f2b8)

Wine-dbg>p *This

{IUnknown_inner={lpVtbl=0x7a124904}, IRichEditOle_iface={lpVtbl=0x7a124960},
ITextDocument_iface={lpVtbl=0x7a124ac0}, outer_unk=0x179134e0, ref=0x3,
editor=0x179128e8, txtSel=0x17913510, clientSite=0x17913528,
rangelist={next=0x17913500, prev=0x17913500}}
--- snip ---

Heap block view (another run):

--- snip ---
0EE734D8  00000028  
0EE734DC  00455355  ; 'USE' magic
0EE734E0  7A2CF904  ; riched20.reo_unk_vtbl
0EE734E4  7A2CF960  ; riched20.revt
0EE734E8  7A2CFAC0  ; riched20.tdvt
0EE734EC  0EE734E0 
0EE734F0  00000002  ; ref
0EE734F4  0EE728E8 
0EE734F8  0EE73510
0EE734FC  0EE73528
0EE73500  0EE73500 
0EE73504  0EE73500
--- snip ---

Heap block view upon crash:

--- snip ---
0EE734D8  0010CB19  
0EE734DC  45455246  ; 'FREE' magic
0EE734E0  0EE70088 
0EE734E4  0EE70128  ; *boom*
0EE734E8  7A2CFAC0  ; riched20.tdvt
0EE734EC  0EE734E0 
0EE734F0  00000003  ; ref
0EE734F4  0EE728E8 
0EE734F8  0EE73510
0EE734FC  0EE73528
0EE73500  0EE73500
0EE73504  0EE73500
--- snip ---

IRichEditOleImpl vtable pointers get partially overwritten on heap after block
reuse, causing a crash later when the app tries to access them.

'winetricks -q riched20' works around.

$ sha1sum SkypeSetup.msi 
7b600669da6d47d9a89b2093fea845daa02c81a8  SkypeSetup.msi

$ du -sh SkypeSetup.msi 
28M    SkypeSetup.msi

$ wine --version
wine-1.7.31

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list