[Bug 37822] New: Monopolie 0.9.7 (VB6 game) crashes while trying to load OLE compound document (WAV file) via Packager

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Jan 1 15:51:14 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=37822

            Bug ID: 37822
           Summary: Monopolie 0.9.7 (VB6 game) crashes while trying to
                    load OLE compound document (WAV file) via Packager
           Product: Wine
           Version: 1.7.33
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

continuation of bug 37818 and bug 37820 if the OLE1 keys were added via
'regedit' import.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Monopolie

$  WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+packager wine ./Monopolie\
0.9.7.exe >>log.txt 2>&1
...
0023:Call user32.CreateWindowExA(00000004,0000c058,01149e68
"&Buy",4c012000,00000008,00000008,00000049,0000001d,000300aa,00000006,73420000,00000000)
ret=7343f9e2 
...
0023:Ret  user32.ShowWindow() retval=00000000 ret=73456dc5 
...
0023:Call ole32.StgCreateDocfile(00000000,04001012,00000000,0033e30c)
ret=734c8828
0023:Call KERNEL32.GetTempPathW(00000104,0033de08) ret=7e99c926
0023:Ret  KERNEL32.GetTempPathW() retval=00000014 ret=7e99c926
0023:Call KERNEL32.GetTempFileNameW(0033de08
L"C:\\users\\focht\\Temp\\",7ea2da06 L"STO",00000000,0033e010) ret=7e99c960
0023:Ret  KERNEL32.GetTempFileNameW() retval=0000a5a9 ret=7e99c960
0023:Call KERNEL32.CreateFileW(0033e010
L"C:\\users\\focht\\Temp\\STOa5a9.tmp",c0000000,00000001,00000000,00000005,14000000,00000000)
ret=7e99ca0b
0023:Ret  KERNEL32.CreateFileW() retval=000000a0 ret=7e99ca0b 
...
0023:Call
KERNEL32.SetFilePointerEx(000000a0,00003800,00000000,00000000,00000000)
ret=7e95bf78
0023:Ret  KERNEL32.SetFilePointerEx() retval=00000001 ret=7e95bf78
0023:Call KERNEL32.WriteFile(000000a0,01e52b48,00000200,0033d8f4,00000000)
ret=7e95bfbb
0023:Ret  KERNEL32.WriteFile() retval=00000001 ret=7e95bfbb
...
--- snip ---

The game writes out a WAV file as OLE compound storage object (temp file) and
later tries to load it via Packager.

--- snip ---
...
0023:Call ole32.ReadClassStg(01e4a7b0,0033e2d4) ret=734aa8b9
0023:Ret  ole32.ReadClassStg() retval=00000000 ret=734aa8b9
0023:Call ole32.OleDoAutoConvert(01e4a7b0,0033e2e4) ret=734aa8ce
0023:trace:ole:OleDoAutoConvert (0x1e4a7b0, 0x33e2e4)
0023:Call ntdll.RtlInitUnicodeString(0033e050,0033e0a2
L"CLSID\\{0003000D-0000-0000-C000-000000000046}") ret=7e93f764
0023:Ret  ntdll.RtlInitUnicodeString() retval=0033e050 ret=7e93f764
0023:Call ntdll.NtOpenKey(0033e09c,00020019,0033e058) ret=7e93f780
0023:Ret  ntdll.NtOpenKey() retval=00000000 ret=7e93f780
0023:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e93f78b
0023:Ret  ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e93f78b
0023:Call ntdll.RtlInitUnicodeString(0033e050,7ea296fc L"AutoConvertTo")
ret=7e93f764
0023:Ret  ntdll.RtlInitUnicodeString() retval=0033e050 ret=7e93f764
0023:Call ntdll.NtOpenKey(0033e178,00020019,0033e058) ret=7e93f780
0023:Ret  ntdll.NtOpenKey() retval=c0000034 ret=7e93f780
0023:Call ntdll.RtlNtStatusToDosError(c0000034) ret=7e93f78b
0023:Ret  ntdll.RtlNtStatusToDosError() retval=00000002 ret=7e93f78b
0023:Call advapi32.RegCloseKey(000000a4) ret=7e9441f9
0023:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e9441f9
0023:Ret  ole32.OleDoAutoConvert() retval=80040152 ret=734aa8ce
0023:Call ole32.CoGetClassObject(0033e2e4,00000003,00000000,7343a3b8,0033e2ac)
ret=734a6939
0023:trace:ole:CoGetClassObject CLSID:
{0003000d-0000-0000-c000-000000000046},IID:
{00000000-0000-0000-c000-000000000046} 
...
0023:warn:ole:CoGetClassObject class {0003000d-0000-0000-c000-000000000046} not
registered as in-proc server 
...
0023:err:ole:CoGetClassObject no class object
{0003000d-0000-0000-c000-000000000046} could be created for context 0x3
0023:Ret  ole32.CoGetClassObject() retval=80040154 ret=734a6939 
...
0023:Call ole32.OleLoad(01e4a7b0,73476c78,01149864,0033e2fc) ret=734aa991
0023:trace:ole:OleLoad (0x1e4a7b0, {00000112-0000-0000-c000-000000000046},
0x1149864, 0x33e2fc)
0023:trace:ole:CoCreateInstance (rclsid={0003000d-0000-0000-c000-000000000046},
pUnkOuter=(nil), dwClsContext=00000003,
riid={00000112-0000-0000-c000-000000000046}, ppv=0x33e1fc)
0023:trace:ole:CoGetTreatAsClass
({0003000d-0000-0000-c000-000000000046},0x33e0e8) 
...
0023:trace:ole:guid_from_string L"{F20DA720-C02F-11CE-927B-0800095AE340}" ->
0x33e0e8
0023:Call advapi32.RegCloseKey(000000a8) ret=7e947347
0023:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e947347
0023:trace:ole:CoGetClassObject CLSID:
{f20da720-c02f-11ce-927b-0800095ae340},IID:
{00000001-0000-0000-c000-000000000046} 
...
0023:trace:ole:COMPOBJ_DllList_Add L"C:\\windows\\system32\\packager.dll"
0023:Call KERNEL32.LoadLibraryExW(0033dd6e
L"C:\\windows\\system32\\packager.dll",00000000,00000008) ret=7e93f8f8
0023:Call PE DLL (proc=0x7d685380,module=0x7d680000
L"packager.dll",reason=PROCESS_ATTACH,res=(nil))
0023:trace:packager:DllMain (0x7d680000, 1, (nil))
...
0023:Ret  PE DLL (proc=0x7d685380,module=0x7d680000
L"packager.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
0023:Ret  KERNEL32.LoadLibraryExW() retval=7d680000 ret=7e93f8f8
...
0023:trace:ole:apartment_getclassobject added new loaded dll
L"C:\\windows\\system32\\packager.dll"
0023:trace:ole:apartment_getclassobject calling DllGetClassObject 0x7d68284c
0023:Call packager.DllGetClassObject(0033e0e8,7ea3200c,0033e0f8) ret=7e941f05
0023:trace:packager:DllGetClassObject ({f20da720-c02f-11ce-927b-0800095ae340},
{00000001-0000-0000-c000-000000000046}, 0x33e0f8)
0023:trace:packager:PackageCF_QueryInterface
(static)->({00000001-0000-0000-c000-000000000046}, 0x33e0f8)
0023:trace:packager:PackageCF_AddRef (static)
0023:Ret  packager.DllGetClassObject() retval=00000000 ret=7e941f05
0023:Call advapi32.RegCloseKey(000000a8) ret=7e945a72
0023:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e945a72
0023:trace:packager:PackageCF_CreateInstance (static)->((nil),
{00000112-0000-0000-c000-000000000046}, 0x33e1fc)
0023:Call ntdll.RtlAllocateHeap(00110000,00000008,00000218) ret=7d685043
0023:Ret  ntdll.RtlAllocateHeap() retval=00170528 ret=7d685043
0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IOleObject,
0x33e1fc)
0023:trace:packager:OleObject_AddRef (0x170528) ref=1
0023:trace:packager:PackageCF_Release (static)
0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IOleObject,
0x33e1f8)
0023:trace:packager:OleObject_AddRef (0x170528) ref=2
0023:trace:packager:OleObject_GetMiscStatus (0x170528)->(1, 0x33e1ac)
0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IPersistStorage,
0x33e200)
0023:trace:packager:OleObject_AddRef (0x170528) ref=3
0023:trace:packager:PersistStorage_Load (0x170528)->(0x1e4a7b0)
0023:Call ntdll.RtlAllocateHeap(00110000,00000000,00000028) ret=7e98e2e8
0023:Ret  ntdll.RtlAllocateHeap() retval=0017f1a0 ret=7e98e2e8
0023:Call
KERNEL32.SetFilePointerEx(000000a0,00001800,00000000,00000000,00000000)
ret=7e95bd7c
0023:Ret  KERNEL32.SetFilePointerEx() retval=00000001 ret=7e95bd7c
0023:Call KERNEL32.ReadFile(000000a0,01e53b58,00000200,0033c734,00000000)
ret=7e95bdbf
0023:Ret  KERNEL32.ReadFile() retval=00000001 ret=7e95bdbf 
...
0023:Call KERNEL32.ReadFile(000000a0,0033fb00,00000200,0033c7e4,00000000)
ret=7e95bdbf
0023:Ret  KERNEL32.ReadFile() retval=00000001 ret=7e95bdbf
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7d6843b2
ip=7d6843b2 tid=0023
0023:trace:seh:raise_exception  info[0]=00000000
0023:trace:seh:raise_exception  info[1]=7475020f
0023:trace:seh:raise_exception  eax=74750203 ebx=7d689000 ecx=0017f1a0
edx=00000000 esi=0033e180 edi=0033e290
0023:trace:seh:raise_exception  ebp=0033e168 esp=0033cab0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
0023:trace:seh:call_stack_handlers calling handler at 0x84807984 code=c0000005
flags=0 
<stack overflow>
--- snip ---

There are four streams present:

* Ole (20 bytes)
* CompObj (76 bytes)
* OlePres000 (3256 bytes)
* Ole10Native (8196 bytes)

Source:
http://source.winehq.org/git/wine.git/blob/7ef536001fa0da54dafbc32a206343ee59dc0fba:/dlls/packager/packager_main.c#l386

--- snip ---
Wine-dbg>n
444        hr = IStream_Read(stream, &payload_size, 4, NULL);

Wine-dbg>n
PersistStorage_Load () at
/home/focht/projects/wine/wine.repo/build-x86/dlls/packager/../../include/objidl.h:4381
4381        return This->lpVtbl->Read(This,pv,cb,pcbRead);

Wine-dbg>n
err:seh:setup_exception_record stack overflow 1104 bytes in thread 0023 eip
7bc4452f esp 00240ee0 stack 0x240000-0x241000-0x340000
Process of pid=0022 has terminated
--- snip ---

$ sha1sum monopolie0.9.7-installer.exe 
b7cff9b04b11c55b5d1fa4cddb2f0914f61b6653  monopolie0.9.7-installer.exe

$ du -sh monopolie0.9.7-installer.exe 
1.7M    monopolie0.9.7-installer.exe

$ wine --version
wine-1.7.33-117-g6bab173

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list