[Bug 38939] u-blox u-center GNSS evaluation software v8.17 crashes when received data is inserted in 'Packet Console' window (questionable handling of edit control text buffer ownership)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Jul 18 06:20:40 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38939
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download
Status|UNCONFIRMED |NEW
URL| |http://www.ublox.com/images
| |/Support/Support_Products/E
| |valuationSoftware/u-centers
| |etup_v8.17.zip
CC| |focht at gmx.net
Component|-unknown |user32
Summary|u-blox U-center 8,17 |u-blox u-center GNSS
|crashes when attempting to |evaluation software v8.17
|open view->Packet Console |crashes when received data
| |is inserted in 'Packet
| |Console' window
| |(questionable handling of
| |edit control text buffer
| |ownership)
Ever confirmed|0 |1
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Since I don't have some GPS device to hook up on serial port I use the
following setup:
* dual USB serial converter (Y-cable)
* crosslink for loopback
* NMEA simulator software
Simulator: http://www.atlsoft.de/gps-simulator/ (needs 'winetricks -q dotnet20'
prerequisite)
COM1, COM2 device symlinks to /dev/ttyUSB0,1
U-Blox:
* open COM1
* open packet console
NMEAGenerator:
* open COM2
* start (sends NMEA protocol strings)
--- snip ---
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
(0x7eb69195).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:7eb69195 ESP:0033ec00 EBP:0033ecb8 EFLAGS:00210202( R- -- I - - - )
EAX:00000000 EBX:00138fb0 ECX:0033eba0 EDX:000000a2
ESI:0114c5b8 EDI:0114c5b8
...
Backtrace:
=>0 0x7eb69195 EDIT_EM_ReplaceSel+0x3e9(es=0x114c978, can_undo=0,
lpsz_replace="10:18:29 R -> NMEA GPRMC, Size 71, 'Recommended Minimum
Specific GNSS Data'
", send_update=0x1, honor_limit=0x1)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/edit.c:2629] in user32
(0x0033ecb8)
1 0x7eb6f15c EditWndProc_common+0x49c(hwnd=0x30044, msg=0xc2, wParam=0,
lParam=0x11024d0, unicode=0x1)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/edit.c:4763] in user32
(0x0033ed88)
2 0x7ebdb8ef EditWndProcW+0x32(hwnd=0x30044, msg=0xc2, wParam=0,
lParam=0x11024d0)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:1083] in user32
(0x0033edb8)
3 0x7ebd8efe WINPROC_wrapper+0x19() in user32 (0x0033ede8)
4 0x7ebd9063 call_window_proc+0xbc(hwnd=0x30044, msg=0xc2, wp=0,
lp=0x11024d0, result=0x33ee58, arg=0x7ebdb8bc)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:245] in user32
(0x0033ee28)
5 0x7ebdb423 CallWindowProcW+0x5d(func=0x7ebdb8bc, hwnd=0x30044, msg=0xc2,
wParam=0, lParam=0x11024d0)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:982] in user32
(0x0033ee6c)
6 0x00535b98 in u-center (+0x135b97) (0x0033ee8c)
...
0x7eb69195 EDIT_EM_ReplaceSel+0x3e9
[/home/focht/projects/wine/wine.repo/src/dlls/user32/edit.c:2629] in user32:
movzwl 0x0(%eax),%eax
2629 p[strl] = p[0];
Wine-dbg>info locals
0x7eb69195 EDIT_EM_ReplaceSel+0x3e9: (0033ecb8)
EDITSTATE* es=0x114c978 (parameter [EBP+8])
BOOL can_undo=0 (parameter [EBP+12])
LPCWSTR lpsz_replace="10:18:29 R -> NMEA GPRMC, Size 71, 'Recommended
Minimum Specific GNSS Data'
" (parameter [EBP+16])
BOOL send_update=0x1 (parameter [EBP+20])
BOOL honor_limit=0x1 (parameter [EBP+24])
UINT strl=0x51 (local [EBP-12])
UINT tl=0 (local [EBP-44])
UINT utl=0 (local [EBP-116])
UINT s=0 (local [EBP-16])
UINT e=0 (local [EBP-20])
UINT i=0x30044 (local [EBP-24])
UINT size=0x51 (local [EBP-60])
LPWSTR p=0x0(nil) (local [EBP-28])
HRGN hrgn=(nil) (local [EBP-32])
LPWSTR buf=0x0(nil) (local [EBP-36])
UINT bufl=0 (local [EBP-40])
Wine-dbg>p *es
{is_unicode=0x1, text=0x0(nil), text_length=0, buffer_size=0x5f,
buffer_limit=0x7ffffffe, font=0xd90107, x_offset=0, line_height=0xf,
char_width=0x8, style=0x502009c4, flags=0, undo_insert_count=0,
undo_position=0, undo_text="", undo_buffer_size=0xf, selection_start=0,
selection_end=0, password_char=0, left_margin=0x4, right_margin=0x4,
format_rect={left=0x5, top=0x1, right=0x36d, bottom=0x11e}, text_width=0,
region_posx=0, region_posy=0, word_break_proc=0x0(nil), line_count=0x1,
y_offset=0, bCaptureState=0, bEnableState=0x1, hwndSelf=0x30044,
hwndParent=0x1600da, hwndListBox=(nil), wheelDeltaRemainder=0, lock_count=0,
tabs_count=0x1, tabs=0x1149eb0, first_line_def=0x10ff568, hloc32W=0x10fb972,
hloc32A=0x0(nil), hlocapp=0x10fb972, composition_len=0, composition_start=0,
logAttr=(nil), ssa=0x0(nil)}
---- snip ---
Trace log:
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/u-blox/u-center_v8.17
$ WINEDEBUG=+tid,+seh,+relay,+edit wine ./u-Center.exe >>log.txt 2>&1
...
0037:Call user32.SendMessageW(000101e8,000000bd,00000000,00000000) ret=00540e15
0037:Call window proc 0x534d7e
(hwnd=0x101e8,msg=EM_GETHANDLE,wp=00000000,lp=00000000)
0037:Call user32.CallWindowProcW(7ebdb8bc,000101e8,000000bd,00000000,00000000)
ret=00535b98
0037:Call window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=EM_GETHANDLE,wp=00000000,lp=00000000)
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=bd (EM_GETHANDLE) wparam=0
lparam=0
0037:trace:edit:EDIT_EM_GetHandle Returning 0x1112202, LocalSize() = 32
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=bd (EM_GETHANDLE) --
0x01112202
0037:Ret window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=EM_GETHANDLE,wp=00000000,lp=00000000) retval=01112202
0037:Ret user32.CallWindowProcW() retval=01112202 ret=00535b98
0037:Ret window proc 0x534d7e
(hwnd=0x101e8,msg=EM_GETHANDLE,wp=00000000,lp=00000000) retval=01112202
0037:Ret user32.SendMessageW() retval=01112202 ret=00540e15
0037:Call KERNEL32.LocalLock(01112202) ret=00540e1c
0037:Ret KERNEL32.LocalLock() retval=01115cc8 ret=00540e1c
...
0037:Call user32.SendMessageW(000101e8,000000ba,00000000,00000000) ret=004b3cfc
0037:Call window proc 0x534d7e
(hwnd=0x101e8,msg=EM_GETLINECOUNT,wp=00000000,lp=00000000)
0037:Call user32.CallWindowProcW(7ebdb8bc,000101e8,000000ba,00000000,00000000)
ret=00535b98
0037:Call window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=EM_GETLINECOUNT,wp=00000000,lp=00000000)
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=ba (EM_GETLINECOUNT)
wparam=0 lparam=0
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=ba (EM_GETLINECOUNT) --
0x00000001
0037:Ret window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=EM_GETLINECOUNT,wp=00000000,lp=00000000) retval=00000001
0037:Ret user32.CallWindowProcW() retval=00000001 ret=00535b98
0037:Ret window proc 0x534d7e
(hwnd=0x101e8,msg=EM_GETLINECOUNT,wp=00000000,lp=00000000) retval=00000001
0037:Ret user32.SendMessageW() retval=00000001 ret=004b3cfc
...
0037:Ret window proc 0x534d7e
(hwnd=0x101e8,msg=EM_GETHANDLE,wp=00000000,lp=00000000) retval=01112202
0037:Ret user32.SendMessageW() retval=01112202 ret=00541eba
0037:Call KERNEL32.LocalUnlock(01112202) ret=00541ec1
0037:Ret KERNEL32.LocalUnlock() retval=00000000 ret=00541ec1
0037:Call user32.GetWindowTextLengthW(000101e8) ret=0053b0fc
0037:Call window proc 0x534d7e
(hwnd=0x101e8,msg=WM_GETTEXTLENGTH,wp=00000000,lp=00000000)
0037:Call user32.CallWindowProcW(7ebdb8bc,000101e8,0000000e,00000000,00000000)
ret=00535b98
0037:Call window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=WM_GETTEXTLENGTH,wp=00000000,lp=00000000)
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=e (WM_GETTEXTLENGTH)
wparam=0 lparam=0
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=e (WM_GETTEXTLENGTH) --
0x00000000
0037:Ret window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=WM_GETTEXTLENGTH,wp=00000000,lp=00000000) retval=00000000
0037:Ret user32.CallWindowProcW() retval=00000000 ret=00535b98
0037:Ret window proc 0x534d7e
(hwnd=0x101e8,msg=WM_GETTEXTLENGTH,wp=00000000,lp=00000000) retval=00000000
0037:Ret user32.GetWindowTextLengthW() retval=00000000 ret=0053b0fc
...
0037:Ret window proc 0x534d7e
(hwnd=0x101e8,msg=EM_SCROLLCARET,wp=00000000,lp=00000000) retval=00000001
0037:Ret user32.SendMessageW() retval=00000001 ret=004b3bfd
0037:Call ntdll.RtlReAllocateHeap(00110000,00000000,0111b170,000000fe)
ret=00673e33
0037:Ret ntdll.RtlReAllocateHeap() retval=01114298 ret=00673e33
0037:Call user32.SendMessageW(000101e8,000000c2,00000000,011142a8) ret=004b3c22
0037:Call window proc 0x534d7e
(hwnd=0x101e8,msg=EM_REPLACESEL,wp=00000000,lp=011142a8)
0037:Call user32.CallWindowProcW(7ebdb8bc,000101e8,000000c2,00000000,011142a8)
ret=00535b98
0037:Call window proc 0x7ebdb8bc
(hwnd=0x101e8,msg=EM_REPLACESEL,wp=00000000,lp=011142a8)
0037:trace:edit:EditWndProc_common hwnd=0x101e8 msg=c2 (EM_REPLACESEL) wparam=0
lparam=11142a8
0037:trace:edit:EDIT_EM_ReplaceSel L"10:25:54 R -> NMEA GPRMC, Size 71,
'Recommended Minimum Specific GNSS Data'\r\n", can_undo 0, send_update 1
0037:trace:edit:EDIT_MakeFit trying to ReAlloc to 81+1 characters
0037:trace:edit:EDIT_MakeFit Old 32 bit handle 0x1112202, new handle 0x1112202
0037:trace:edit:EDIT_MakeFit We now have 95+1
0037:trace:edit:EDIT_EM_ReplaceSel inserting stuff (tl 0, strl 81, selstart 0
((null)), text (null))
0037:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7eb69195
ip=7eb69195 tid=0037
0037:trace:seh:raise_exception info[0]=00000000
0037:trace:seh:raise_exception info[1]=00000000
0037:trace:seh:raise_exception eax=00000000 ebx=f773ede8 ecx=00000000
edx=000000a2 esi=0032edf8 edi=0032edb4
0037:trace:seh:raise_exception ebp=0032ebe8 esp=0032eb30 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
...
--- snip ---
The app essentially does:
--- snip ---
...
LocalLock((HLOCAL)SendMessage(edit, EM_GETHANDLE, 0, 0));
...
<access contents>
...
LocalUnlock((HLOCAL)SendMessage(edit, EM_GETHANDLE, 0, 0));
...
<further edit control messages, causing text buffer manipulation>
--- snip ---
The following functions look conceptually questionable to me when it comes to
text buffer ownership.
EDIT_EM_GetHandle
EDIT_LockBuffer
EDIT_UnlockBuffer
$ sha1sum u-centersetup_v8.17.zip
7c312d9c2593bb7c84d9c28612838c667d8c3625 u-centersetup_v8.17.zip
$ du -sh u-centersetup_v8.17.zip
16M u-centersetup_v8.17.zip
$ wine --version
wine-1.7.47-118-ga90592c
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list