[Bug 21150] Memorex exPressit Label Design Studio 4.x crashes when creating a new project (ieframe 'IOleObject::Advise' is a stub)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Dec 7 09:38:10 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=21150

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
          Component|shdocvw                     |ieframe
            Summary|exPressit crashes           |Memorex exPressit Label
                   |                            |Design Studio 4.x crashes
                   |                            |when creating a new project
                   |                            |(ieframe
                   |                            |'IOleObject::Advise' is a
                   |                            |stub)

--- Comment #13 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming, still present.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Memorex exPressit Label Design
Studio/STCD

$ WINEDEBUG=+tid,+seh,+relay,+ieframe wine ./stcd.exe >>log.txt 2>&1
...
0027:Call user32.CreateWindowExA(00000000,005882fc
"MVWebBrowserClass",00000000,4000001e,00000000,00000000,000000c8,0000037b,00020188,00000f05,00400000,0015b69a)
ret=0024eb4d
...
0027:Call user32.CreateWindowExW(00000100,7ce38f80 L"Shell Embedding",7ce38f80
L"Shell
Embedding",46010000,00000000,00000000,00000000,00000000,000201b0,00000000,7ce00000,051c3410)
ret=7ce231a7 
...
0027:Ret  user32.CreateWindowExW() retval=000201ae ret=7ce231a7
0027:trace:ieframe:create_shell_embedding_hwnd parent=0x201b0 hwnd=0x201ae
...
0027:fixme:ieframe:OleObject_Advise (0x51c3410)->(0x9f3260, 0x15bdde) 

0027:Ret  user32.CreateWindowExA() retval=000201b0 ret=0024eb4d
...
0027:Call user32.SendMessageA(000201b0,0000054f,00000000,00000000) ret=00486ad7
0027:Call window proc 0x2f08a0
(hwnd=0x201b0,msg=WM_USER+335,wp=00000000,lp=00000000)
0027:Call user32.GetWindowLongA(000201b0,fffffff0) ret=002f08b2
0027:Ret  user32.GetWindowLongA() retval=4000001e ret=002f08b2
0027:Call user32.GetWindowLongA(000201b0,00000000) ret=002f08dc
0027:Ret  user32.GetWindowLongA() retval=0015bdce ret=002f08dc
0027:Ret  window proc 0x2f08a0
(hwnd=0x201b0,msg=WM_USER+335,wp=00000000,lp=00000000) retval=00000000
0027:Ret  user32.SendMessageA() retval=00000000 ret=00486ad7
0027:Call msvcr70.memset(0088e830,00000000,000000c8) ret=0048b283
0027:Ret  msvcr70.memset() retval=0088e830 ret=0048b283
0027:Call msvcr70.memset(0088e8d0,00000000,00000028) ret=00552311
0027:Ret  msvcr70.memset() retval=0088e8d0 ret=00552311
0027:Call user32.GetPropA(00020194,00587954 "MVDSTWinData") ret=0041d0e2
0027:Ret  user32.GetPropA() retval=0015b69a ret=0041d0e2
0027:Call msvcr70.memset(0015c05e,00000000,0000009e) ret=100013a8
0027:Ret  msvcr70.memset() retval=0015c05e ret=100013a8
0027:Call msvcr70.memmove(0015c062,029e294c,0000000e) ret=10007361
0027:Ret  msvcr70.memmove() retval=0015c062 ret=10007361
...
0027:Call msvcr70.memmove(0015c34c,02a1426b,0000004e) ret=10007361
0027:Ret  msvcr70.memmove() retval=0015c34c ret=10007361
0027:trace:seh:raise_exception code=c0000005 flags=0 addr=0x48ac2a ip=0048ac2a
tid=0027
0027:trace:seh:raise_exception  info[0]=00000000
0027:trace:seh:raise_exception  info[1]=00000000
0027:trace:seh:raise_exception  eax=0088e91c ebx=0088eab0 ecx=00000000
edx=00000027 esi=0088eb04 edi=0088eac4
0027:trace:seh:raise_exception  ebp=0088e930 esp=0088e3d0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
0027:trace:seh:call_stack_handlers calling handler at 0x57f70e code=c0000005
flags=0
...
wine: Unhandled page fault on read access to 0x00000000 at address 0x48ac2a
(thread 0027), starting debugger...
...
Backtrace:
=>0 0x0048ac2a in stcd (+0x8ac2a) (0x0088e930)
  1 0x00486aea in stcd (+0x86ae9) (0x0088e944)
  2 0x00486b3c in stcd (+0x86b3b) (0x0088e958)
  3 0x00421aac in stcd (+0x21aab) (0x0088e9e8)
  4 0x7ea00176 WINPROC_wrapper+0x19() in user32 (0x0088ea18)
  5 0x7ea0028f call_window_proc+0xa1(hwnd=0x20194, msg=0x84, wp=0,
lp=0x2c5044e, result=0x88ea88, arg=0x421050)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:245] in user32
(0x0088ea58)
  6 0x7ea020cf CallWindowProcA+0x4f(func=<couldn't compute location>,
hwnd=<couldn't compute location>, msg=<couldn't compute location>,
wParam=<couldn't compute location>, lParam=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:956] in user32
(0x0088ea98)
  7 0x7bc7a126 relay_call+0x39() in ntdll (0x0088ead8)
  8 0x7e96f625 in user32 (+0xf624) (0x0088eb18)
  9 0x00271c3f in dwwin (+0x31c3e) (0x0088eb18)
  10 0x7ea00176 WINPROC_wrapper+0x19() in user32 (0x0088eb48)
...
  22 0x7e9cc289 PeekMessageA+0x49(msg=<couldn't compute location>,
hwnd=<couldn't compute location>, first=<couldn't compute location>,
last=<couldn't compute location>, flags=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/message.c:3794] in user32
(0x0088f708)
  23 0x7bc7a126 relay_call+0x39() in ntdll (0x0088f74c)
  24 0x7e9720fd in user32 (+0x120fc) (0x0088f79c)
  25 0x00246538 in dwwin (+0x6537) (0x0088f79c)
  26 0x002467a6 in dwwin (+0x67a5) (0x0088f7b4)
  27 0x002d1d0b in dwwin (+0x91d0a) (0x0088f7c8)
  28 0x002d2944 in dwwin (+0x92943) (0x0088fa68)
  29 0x0024fadb in dwwin (+0xfada) (0x0088fba4)
  30 0x0027185b in dwwin (+0x3185a) (0x0088fbc4)
  31 0x004a3284 in stcd (+0xa3283) (0x0088fd9c)
  32 0x0057f3e1 in stcd (+0x17f3e0) (0x0088fe40)
  33 0x7b8680ec call_process_entry+0xb() in kernel32 (0x0088fe58)
...
0x0048ac2a: movl    0x0(%ecx),%edx
Modules:
Module    Address            Debug info    Name (142 modules)
PE      240000-  370000    Export          dwwin
PE      370000-  3bf000    Deferred        ltimg13n
PE      3c0000-  3cd000    Deferred        lttwn13n
PE      3d0000-  3eb000    Deferred        mvmcc
PE      3f0000-  3f9000    Deferred        mvgallery
PE      400000-  68c000    Export          stcd
PE      890000-  8da000    Deferred        mvpictool
PE     29b0000- 29ba000    Deferred        mvdmm2
PE     29c0000- 29c7000    Deferred        mvdmm_generic
PE     29d0000- 29df000    Deferred        mvdmm_itunes
PE     3670000- 3812000    Deferred        ltclr13n
PE     4c60000- 4c6a000    Deferred        mvdmm_wmp
PE    10000000-1001f000    Deferred        dwmemman
...
ELF    7ac00000-7ac89000    Deferred        riched20<elf>
  \-PE    7ac20000-7ac89000    \               riched20
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000026 (D) C:\Program Files\Memorex exPressit Label Design
Studio\STCD\stcd.exe
    00000027    0 <==
--- snip ---

Preceding the crash site there is a failing
'SendMessage(hwndBrowser,WM_USER+0x14f,0,0)' call that ought to return some
object/member data.

--- snip ---
00486AC0  55            PUSH EBP
00486AC1  8BEC          MOV EBP,ESP
00486AC3  51            PUSH ECX
00486AC4  6A 00         PUSH 0                       ; lParam = 0
00486AC6  6A 00         PUSH 0                       ; wParam = 0
00486AC8  68 4F050000   PUSH 54F                     ; Msg = 54F
00486ACD  8B45 08       MOV EAX,DWORD PTR SS:[ARG.1]
00486AD0  50            PUSH EAX                     ; hWnd => [ARG.1]
00486AD1  FF15 48045800 CALL DWORD PTR DS:[<&USER32.SendMessageA>]
00486AD7  8945 FC       MOV DWORD PTR SS:[LOCAL.1],EAX ; <--- NULL !
00486ADA  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]
00486ADD  51            PUSH ECX                     ; Arg2 => [LOCAL.1]
00486ADE  8B55 0C       MOV EDX,DWORD PTR SS:[ARG.2]
00486AE1  8B42 06       MOV EAX,DWORD PTR DS:[EDX+6]
00486AE4  50            PUSH EAX                     ; Arg1
00486AE5  E8 F6400000   CALL 0048ABE0
00486AEA  8BE5          MOV ESP,EBP
00486AEC  5D            POP EBP
00486AED  C3            RETN
...
0048ABE0  55            PUSH EBP
0048ABE1  8BEC          MOV EBP,ESP
0048ABE3  81EC 58050000 SUB ESP,558
0048ABE9  8D85 00FFFFFF LEA EAX,[LOCAL.64]
0048ABEF  50            PUSH EAX                     ; Arg2 (NULL)
0048ABF0  8B4D 08       MOV ECX,DWORD PTR SS:[ARG.1]
0048ABF3  51            PUSH ECX                     ; Arg1 => [ARG.1]
0048ABF4  E8 77060000   CALL 0048B270
0048ABF9  833D 203D5900 CMP DWORD PTR DS:[593D20],0
0048AC00  75 1C         JNE SHORT 0048AC1E
0048AC02  68 243D5900   PUSH OFFSET 00593D24
0048AC07  68 04040000   PUSH 404
0048AC0C  8B15 F4DF5800 MOV EDX,DWORD PTR DS:[58DFF4]
0048AC12  52            PUSH EDX
0048AC13  FF15 A0085800 CALL DWORD PTR DS:[<&dwwin._dwLoadWordArray at 12>]
0048AC19  A3 203D5900   MOV DWORD PTR DS:[593D20],EAX
0048AC1E  8D45 EC       LEA EAX,[LOCAL.5]
0048AC21  50            PUSH EAX
0048AC22  68 BC0D5800   PUSH OFFSET 00580DBC
0048AC27  8B4D 0C       MOV ECX,DWORD PTR SS:[ARG.2] ; (NULL)
0048AC2A  8B11          MOV EDX,DWORD PTR DS:[ECX]   ; *boom*
0048AC2C  8B45 0C       MOV EAX,DWORD PTR SS:[ARG.2]
0048AC2F  50            PUSH EAX
0048AC30  FF12          CALL DWORD PTR DS:[EDX]
0048AC32  85C0          TEST EAX,EAX
0048AC34  74 05         JZ SHORT 0048AC3B
...
--- snip ---

In the app message handler for WM_USER+0x14F there is a check on member data
associated to the main browser window.
The member data is NULL at this point and the message handler short-circuits
here, without calling some internal member functions.

It's likely that proper sink hookup will activate more code paths that
create/instantiate missing member data.

Source:
http://source.winehq.org/git/wine.git/blob/10f35222dc8e7184963076a7e8e58ad64651638e:/dlls/ieframe/oleobject.c#l710

--- snip ---
 710 static HRESULT WINAPI OleObject_Advise(IOleObject *iface, IAdviseSink
*pAdvSink,
 711         DWORD* pdwConnection)
 712 {
 713     WebBrowser *This = impl_from_IOleObject(iface);
 714     FIXME("(%p)->(%p, %p)\n", This, pAdvSink, pdwConnection);
 715     return E_NOTIMPL;
 716 }
--- snip ---

--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> Z:\home\focht\Downloads\exPressit.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 18222904 (01160F38h)
Byte(s)
Compilation TimeStamp : 0x370D108F -> Thu 08th Apr 1999 20:24:47 (GMT)
[TimeStamp] 0x370D108F -> Thu 08th Apr 1999 20:24:47 (GMT) | PE Header | - |
Offset: 0x000000D0 | VA: 0x004000D0 | -
[TimeStamp] 0x370D108F -> Thu 08th Apr 1999 20:24:47 (GMT) | Export | - |
Offset: 0x000007E4 | VA: 0x004021E4 | -
-> File Appears to be Digitally Signed @ Offset 0115F800h, size : 01738h /
05944 byte(s)
[File Heuristics] -> Flag #1 : 00000000000001001100000000000100 (0x0004C004)
[Entrypoint Section Entropy] : 5.56 (section #0) ".text   " | Size : 0x1FE
(510) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 4 (0x4) | ImageSize 0x1163000 (18231296) byte(s)
[VersionInfo] Company Name : MicroVision Development
[VersionInfo] File Description : Memorex exPressit Label Design Studio
[VersionInfo] Legal Copyrights : MicroVision Development
[-= Installer =-] Wise Installation Wizard Module !
- Scan Took : 3.905 Second(s) [000000C17h (3095) tick(s)] [499 of 573 scan(s)
done]

Scanning -> C:\Program Files\Memorex exPressit Label Design
Studio\STCD\stcd.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2629632 (0282000h)
Byte(s)
Compilation TimeStamp : 0x43A70E18 -> Mon 19th Dec 2005 19:46:32 (GMT)
[TimeStamp] 0x43A70E18 -> Mon 19th Dec 2005 19:46:32 (GMT) | PE Header | - |
Offset: 0x00000120 | VA: 0x00400120 | -
[TimeStamp] 0x43A70E18 -> Mon 19th Dec 2005 19:46:32 (GMT) | Export | - |
Offset: 0x00186304 | VA: 0x00586304 | -
[TimeStamp] 0x43A70E18 -> Mon 19th Dec 2005 19:46:32 (GMT) | DebugDirectory | -
| Offset: 0x00180D04 | VA: 0x00580D04 | -
[File Heuristics] -> Flag #1 : 00000100000000001000000100000000 (0x04008100)
[Entrypoint Section Entropy] : 6.13 (section #0) ".text   " | Size : 0x17E9EF
(1567215) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 4 (0x4) | ImageSize 0x28C000 (2670592) byte(s)
[Export] 100% of function(s) (1 of 1) are in file | 0 are forwarded | 1 code |
0 data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : MicroVision Development. Inc.
[VersionInfo] Product Name : Memorex exPressit Label Design Studio
[VersionInfo] Product Version : 4.3.206
[VersionInfo] File Description : Memorex exPressit Label Design Studio
[VersionInfo] File Version : 4.3.206
[VersionInfo] Original FileName : stcd.exe
[VersionInfo] Internal Name : stcd
[VersionInfo] Version Comments : \CompanyName
[VersionInfo] Legal Trademarks : :    OriginalFilename
[VersionInfo] Legal Copyrights : Copyright © 1999-2003 MicroVision Development.
Inc.  All rights reserved.
[Debug Info] (record 1 of 1) (file offset 0x180D00)
Characteristics : 0x0 | TimeDateStamp : 0x43A70E18 (Mon 19th Dec 2005 19:46:32
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x36 (54) 
AddressOfRawData : 0x181284 | PointerToRawData : 0x181284
CvSig : 0x53445352 | SigGuid DC7D9825-5B1F-40E6-9B8FDF92224B4DFA
Age : 0x1 | Pdb : r:\dest\stcd\release\stcd.pdb
[CompilerDetect] -> Visual C++ 7.0 (Visual Studio 2002)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.579 Second(s) [000000243h (579) tick(s)] [499 of 573 scan(s)
done]
--- snip ---

$ sha1sum exPressit.exe
4c188381c51e109db43f6ac9a51655313dbd1906  exPressit.exe

$ du -sh exPressit.exe
18M    exPressit.exe

$ wine --version
wine-1.8-rc3

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list