[Bug 24112] Xara Designer Pro 6 demo crashes when you select 'continue trial'

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Aug 8 14:34:54 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=24112

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|Abandoned?                  |
                URL|http://www.xara.com/us/down |http://downloads.xara.com/d
                   |loads/designer/             |ownloads/software/xaradesig
                   |                            |nerpro6dl.exe
                 CC|                            |focht at gmx.net

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming, still present.

Looks like use-after-free issue, cause unknown.
The crash location is pretty much random due to heap garbage being interpreted
as function pointer leading to callstack partially messed up.

Trace with +relay hides the problem and the app starts.

I reconstructed the call site though:

--- snip ---
...
004B3B9A     8B4424 20        MOV EAX,DWORD PTR SS:[ESP+20]
004B3B9E     50               PUSH EAX
004B3B9F     E8 FC0EFAFF      CALL Designer.00454AA0
004B3BA4     8B8E 44040000    MOV ECX,DWORD PTR DS:[ESI+444] 
004B3BAA     8B11             MOV EDX,DWORD PTR DS:[ECX]      ; ptr freed block
004B3BAC     8B42 1C          MOV EAX,DWORD PTR DS:[EDX+1C]
004B3BAF     FFD0             CALL EAX                        ; nirvana
004B3BB1     85C0             TEST EAX,EAX
004B3BB3     74 0B            JE SHORT Designer.004B3BC0
004B3BB5     8B8E 44040000    MOV ECX,DWORD PTR DS:[ESI+444]
004B3BBB     E8 D0960800      CALL Designer.0053D290
004B3BC0     E8 5BCC3000      CALL Designer.007C0820
004B3BC5     8B16             MOV EDX,DWORD PTR DS:[ESI]
004B3BC7     8B82 D4000000    MOV EAX,DWORD PTR DS:[EDX+D4]
004B3BCD     8BCE             MOV ECX,ESI
004B3BCF     FFD0             CALL EAX
004B3BD1     85C0             TEST EAX,EAX
004B3BD3     75 26            JNZ SHORT Designer.004B3BFB
...
--- snip ---

+heap shows a couple of small (non critical) heap corruptions before and
finally a use-after-free:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Xara/Xara_Designer_Pro_6

$ WINEDEBUG=+tid,+seh,+loaddll,+process,+debugstr,+heap wine ./DesignerPro.exe
>>log.txt 2>&1
...
0027:trace:heap:RtlAllocateHeap (0x19b0000,70000062,00000054): returning
0x1a960e0
0027:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4536f8 ip=004536f8
tid=0027
0027:trace:seh:raise_exception  info[0]=00000000
0027:trace:seh:raise_exception  info[1]=feeefeee
0027:trace:seh:raise_exception  eax=00000000 ebx=feeefeee ecx=3cfb9274
edx=00000000 esi=03ba4500 edi=00000001
0027:trace:seh:raise_exception  ebp=01a960e0 esp=0033828c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210283
0027:trace:seh:call_stack_handlers calling handler at 0xe240a9 code=c0000005
flags=0
0027:trace:seh:call_stack_handlers handler at 0xe240a9 returned 1 
...
Unhandled exception: page fault on read access to 0xfeeefeee in 32-bit code
(0x004536f8).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:004536f8 ESP:0033828c EBP:01a960e0 EFLAGS:00210283(  R- --  I S - - -C)
 EAX:00000000 EBX:feeefeee ECX:3cfb9274 EDX:00000000
 ESI:03ba4500 EDI:00000001
Stack dump:
0x0033828c:  3cfb9294 00000001 03ba4500 00000000
0x0033829c:  00000000 00000000 0033834c 003382e8
0x003382ac:  f7549aa3 00000003 7bceef40 7bcbc525
0x003382bc:  7bcbc2a5 00338300 7ffd8000 7bd019a0
0x003382cc:  00000000 003382f0 0033834c 00338300
0x003382dc:  0000004b 00000000 00000000 00338338
Backtrace:
=>0 0x004536f8 in designerpro (+0x536f8) (0x01a960e0)
  1 0x00000000 (0x00f69754)
  2 0x007c5db0 in designerpro (+0x3c5daf) (0x007c0fd0)
  3 0xccccc301 (0x181ac0b8)
0x004536f8: movl    0x0(%ebx),%edx
Modules:
Module    Address            Debug info    Name (161 modules)
PE      340000-  391000    Deferred        mxexif_rel_u_vc8
PE      3a0000-  3cd000    Deferred        xaracms
PE      400000- 13b8000    Export          designerpro
PE     13c0000- 145c000    Deferred        playripl
PE     1ec0000- 1f61000    Deferred        xaradark.cjstyles
PE     1f70000- 1fa6000    Deferred        magixofa-en
PE     1fc0000- 23da000    Deferred        xaraxenu
PE     3000000- 310c000    Deferred        xaradraw
PE     3530000- 37f4000    Deferred        pcfx
PE     3800000- 3816000    Deferred        xaradraw2
PE     4090000- 4255000    Deferred        magixofa_u
PE     56a0000- 56ab000    Deferred        ucompstream
PE     56b0000- 5705000    Deferred        mpeg2
PE     7750000- 7aa8000    Deferred        imfilters
PE    10000000-100a0000    Deferred        mfl_u
ELF    495dd000-495fb000    Deferred        libgcc_s.so.1
PE    60000000-60025000    Deferred        ijl10
ELF    7b800000-7ba71000    Deferred        kernel32<elf>
  \-PE    7b820000-7ba71000    \               kernel32 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000026 (D) C:\Program Files\Xara\Xara_Designer_Pro_6\DesignerPro.exe
    00000030    0
    0000002f    0
    0000002e    0
    0000002d    0
    0000002a    0
    00000029    0
    00000028    0
    00000027    0 <== 
--- snip ---

Could be either an app bug that doesn't appear on NT due to different heap
manager design or something else.

I don't see the benefit of wasting time on this now as only one old app version
is affected and later versions work, maybe revisiting later.

$ sha1sum xaradesignerpro6dl.exe 
a98b3f7e75a623d5b8c309d5863b40e09e08b735  xaradesignerpro6dl.exe

$ du -sh xaradesignerpro6dl.exe 
104M    xaradesignerpro6dl.exe

$ wine --version
wine-1.7.49

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list