[Bug 26936] Advanced SystemCare 6.4 crashes on startup with divide by zero in LVM_GETCOUNTPERPAGE handler ('LISTVIEW_GetCountPerColumn' doesn't account for zero item height)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Oct 13 03:27:10 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=26936

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|minor                       |normal
                URL|http://download.iobit.com/a |https://advanced-systemcare
                   |sc-setup.exe                |-free.en.uptodown.com/windo
                   |                            |ws/download/49018
            Summary|Advanced SystemCare: Error  |Advanced SystemCare 6.4
                   |message at start-up         |crashes on startup with
                   |                            |divide by zero in
                   |                            |LVM_GETCOUNTPERPAGE handler
                   |                            |('LISTVIEW_GetCountPerColum
                   |                            |n' doesn't account for zero
                   |                            |item height)
          Component|-unknown                    |comctl32

--- Comment #8 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/IObit/Advanced SystemCare 6

$ WINEDEBUG=+seh,+relay,+win,+msg,+listview wine ./ASC.exe >>log.txt 2>&1
...
002b:Call user32.CreateWindowExW(00000000,0033fbc4
L"TRdListView",00000000,4601504d,0000000f,0000004e,000002fe,00000122,000100e6,00000000,50120000,00000000)
ret=50122db0
002b:trace:win:WIN_CreateWindowEx (null) L"TRdListView" ex=00000000
style=4601504d 15,78 766x290 parent=0x100e6 menu=(nil) inst=0x50120000
params=(nil)
002b:trace:win:dump_window_styles style: WS_CHILD WS_CLIPSIBLINGS
WS_CLIPCHILDREN WS_TABSTOP 0000504d
002b:trace:win:dump_window_styles exstyle:
002b:trace:win:WIN_SetWindowLong 0x100e8 -12 0 W
002b:Call
winex11.drv.WindowPosChanging(000100e8,00000000,00000014,0033f904,0033f904,0033f790,0033f78c)
ret=7e5d5d75
002b:Ret  winex11.drv.WindowPosChanging() retval=00000000 ret=7e5d5d75
002b:trace:win:GetWindowRect hwnd 0x100e8 (1016,177)-(1782,467)
002b:trace:win:invalidate_dce 0x100e8 parent 0x100e6 (1016,177)-(1782,467)
((1001,99)-(1001,99))
002b:trace:win:invalidate_dce 0x801dd: hwnd 0x100e6 dcx 0000001a Cache InUse
002b:trace:win:GetWindowRect hwnd 0x100e6 (1001,99)-(1799,540)
002b:trace:win:make_dc_dirty fixed up 0x801dd hwnd 0x100e6
002b:trace:win:invalidate_dce 0xd0041: hwnd 0x10020 dcx 00000013 Cache 
002b:trace:win:set_window_pos win 0x100e8 surface (nil) -> (nil)
002b:Call
winex11.drv.WindowPosChanged(000100e8,00000000,00000014,0033f904,0033f904,0033f790,00000000,00000000)
ret=7e5d649d
002b:Ret  winex11.drv.WindowPosChanged() retval=00000000 ret=7e5d649d
002b:trace:win:WIN_CreateWindowEx hwnd 0x100e8 cs 15,78 766x290
(15,78)-(781,368) 
...
002b:Call user32.CallWindowProcW(7e0eddb0,000100e8,00000081,00000000,0033fa00)
ret=501d539c
002b:Call window proc 0x7e0eddb0
(hwnd=0x100e8,msg=WM_NCCREATE,wp=00000000,lp=0033fa00)
002b:Call user32.GetWindowLongW(000100e8,00000000) ret=7e0eddf1
002b:Ret  user32.GetWindowLongW() retval=00000000 ret=7e0eddf1
002b:trace:listview:LISTVIEW_WindowProc (hwnd=0x100e8 uMsg=81 wParam=0
lParam=33fa00)
002b:trace:listview:LISTVIEW_NCCreate (lpcs=0x33fa00)
...
002b:trace:listview:LISTVIEW_SaveTextMetrics tmHeight=13 
...
002b:Ret  window proc 0x7e0eddb0
(hwnd=0x100e8,msg=WM_NCCREATE,wp=00000000,lp=0033fa00) retval=00000001
002b:Ret  user32.CallWindowProcW() retval=00000001 ret=501d539c 
...
002b:Call user32.SendMessageW(000100e8,00001004,00000000,00000000) ret=004024ff
002b:Call window proc 0x3d10f6d
(hwnd=0x100e8,msg=LVM_GETITEMCOUNT,wp=00000000,lp=00000000)
002b:Call user32.CallWindowProcW(7e0eddb0,000100e8,00001004,00000000,00000000)
ret=501d539c
002b:Call window proc 0x7e0eddb0
(hwnd=0x100e8,msg=LVM_GETITEMCOUNT,wp=00000000,lp=00000000)
002b:Call user32.GetWindowLongW(000100e8,00000000) ret=7e0eddf1
002b:Ret  user32.GetWindowLongW() retval=0018c970 ret=7e0eddf1
002b:trace:listview:LISTVIEW_WindowProc (hwnd=0x100e8 uMsg=1004 wParam=0
lParam=0)
002b:Ret  window proc 0x7e0eddb0
(hwnd=0x100e8,msg=LVM_GETITEMCOUNT,wp=00000000,lp=00000000) retval=00000000
002b:Ret  user32.CallWindowProcW() retval=00000000 ret=501d539c
002b:Ret  window proc 0x3d10f6d
(hwnd=0x100e8,msg=LVM_GETITEMCOUNT,wp=00000000,lp=00000000) retval=00000000
002b:Ret  user32.SendMessageW() retval=00000000 ret=004024ff 
...
002b:Call user32.SendMessageW(000100e8,00001027,00000000,00000000) ret=0040265f
002b:Call window proc 0x3d10f6d
(hwnd=0x100e8,msg=LVM_GETTOPINDEX,wp=00000000,lp=00000000)
002b:Call user32.CallWindowProcW(7e0eddb0,000100e8,00001027,00000000,00000000)
ret=501d539c
002b:Call window proc 0x7e0eddb0
(hwnd=0x100e8,msg=LVM_GETTOPINDEX,wp=00000000,lp=00000000)
002b:Call user32.GetWindowLongW(000100e8,00000000) ret=7e0eddf1
002b:Ret  user32.GetWindowLongW() retval=0018c970 ret=7e0eddf1
002b:trace:listview:LISTVIEW_WindowProc (hwnd=0x100e8 uMsg=1027 wParam=0
lParam=0)
002b:Call user32.GetScrollInfo(000100e8,00000001,0033ef24) ret=00448c31
002b:Ret  user32.GetScrollInfo() retval=00000000 ret=00448c31
002b:trace:listview:LISTVIEW_GetTopIndex nItem=0
002b:Ret  window proc 0x7e0eddb0
(hwnd=0x100e8,msg=LVM_GETTOPINDEX,wp=00000000,lp=00000000) retval=00000000
002b:Ret  user32.CallWindowProcW() retval=00000000 ret=501d539c
002b:Ret  window proc 0x3d10f6d
(hwnd=0x100e8,msg=LVM_GETTOPINDEX,wp=00000000,lp=00000000) retval=00000000
002b:Ret  user32.SendMessageW() retval=00000000 ret=0040265f 
002b:Call user32.SendMessageW(000100e8,00001028,00000000,00000000) ret=0040266f
002b:Call window proc 0x3d10f6d
(hwnd=0x100e8,msg=LVM_GETCOUNTPERPAGE,wp=00000000,lp=00000000)
002b:Call user32.CallWindowProcW(7e0eddb0,000100e8,00001028,00000000,00000000)
ret=501d539c
002b:Call window proc 0x7e0eddb0
(hwnd=0x100e8,msg=LVM_GETCOUNTPERPAGE,wp=00000000,lp=00000000)
002b:Call user32.GetWindowLongW(000100e8,00000000) ret=7e0eddf1
002b:Ret  user32.GetWindowLongW() retval=0018c970 ret=7e0eddf1
002b:trace:listview:LISTVIEW_WindowProc (hwnd=0x100e8 uMsg=1028 wParam=0
lParam=0)
002b:trace:seh:raise_exception code=c0000094 flags=0 addr=0x7e0f091c
ip=7e0f091c tid=002b
002b:trace:seh:raise_exception  eax=00000000 ebx=7e172000 ecx=00000001
edx=00000000 esi=00001028 edi=0018c970
002b:trace:seh:raise_exception  ebp=0033f028 esp=0033ef60 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
002b:trace:seh:call_stack_handlers calling handler at 0x453b7e code=c0000094
flags=0
002b:trace:seh:call_stack_handlers handler at 0x453b7e returned 1
002b:trace:seh:call_stack_handlers calling handler at 0x501d49cf code=c0000094
flags=0
002b:trace:seh:call_stack_handlers handler at 0x501d49cf returned 1
002b:trace:seh:call_stack_handlers calling handler at 0x501d49e0 code=c0000094
flags=0
002b:trace:seh:__regs_RtlUnwind code=c0000094 flags=2
002b:trace:seh:__regs_RtlUnwind eax=00000000 ebx=0033eb40 ecx=7e0f091c
edx=0033f344 esi=0033f344 edi=0033ef08
002b:trace:seh:__regs_RtlUnwind ebp=0033eb58 esp=0033eb0c eip=50007a14 cs=0023
ds=002b fs=0063 gs=006b flags=00000246
002b:trace:seh:__regs_RtlUnwind calling handler at 0x7bc81810 code=c0000094
flags=2
002b:trace:seh:__regs_RtlUnwind handler at 0x7bc81810 returned 1
002b:trace:seh:__regs_RtlUnwind calling handler at 0x453b7e code=c0000094
flags=2
002b:trace:seh:__regs_RtlUnwind handler at 0x50007c70 returned 1
002b:trace:seh:__regs_RtlUnwind calling handler at 0x501d49cf code=c0000094
flags=2
002b:trace:seh:__regs_RtlUnwind handler at 0x50007c70 returned 1
...
--- snip ---

The divide-by-zero exception is internally caught by madCodeHook library.

--- snip ---
Wine-dbg>disas
0x7e0f090d LISTVIEW_WindowProc+0x2b5d
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1806] in
comctl32: movl    0xffffff5c(%ebp),%edx
0x7e0f0913 LISTVIEW_WindowProc+0x2b63
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1806] in
comctl32: movl    0x10(%edx),%eax
0x7e0f0916 LISTVIEW_WindowProc+0x2b66
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1806] in
comctl32: subl    0x8(%edx),%eax
0x7e0f0919 LISTVIEW_WindowProc+0x2b69
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: movl    %edx,%edi
0x7e0f091b LISTVIEW_WindowProc+0x2b6b
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: cdq    
0x7e0f091c LISTVIEW_WindowProc+0x2b6c
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: idivl    0x54(%edi),%eax
0x7e0f091f LISTVIEW_WindowProc+0x2b6f
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: testl    %eax,%eax
0x7e0f0921 LISTVIEW_WindowProc+0x2b71
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: cmovnle    %eax,%ecx
0x7e0f0924 LISTVIEW_WindowProc+0x2b74
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:1808] in
comctl32: jmp    0x7e0edec4 LISTVIEW_WindowProc+0x114
[/home/focht/projects/wine/mainline-src/dlls/comctl32/listview.c:11817] in
comctl32

Wine-dbg>n
1808        return max(nListHeight / infoPtr->nItemHeight, 1);
--- snip ---

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/comctl32/listview.c#l1793

--- snip ---
1793 /***
1794  * DESCRIPTION:
1795  * Retrieves the number of items that can fit horizontally in the client
1796  * area.
1797  *
1798  * PARAMETER(S):
1799  * [I] infoPtr : valid pointer to the listview structure
1800  *
1801  * RETURN:
1802  * Number of items per column.
1803  */
1804 static inline INT LISTVIEW_GetCountPerColumn(const LISTVIEW_INFO *infoPtr)
1805 {
1806     INT nListHeight = infoPtr->rcList.bottom - infoPtr->rcList.top;
1807 
1808     return max(nListHeight / infoPtr->nItemHeight, 1);
1809 }
--- snip ---

Interestingly, the preceding function 'LISTVIEW_GetCountPerRow' has a safeguard
for this case. Why not doing the same here? It fixes the crash and lets the app
start.

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/comctl32/listview.c#l1776

--- snip ---
1776 /***
1777  * DESCRIPTION:
1778  * Retrieves the number of items that can fit vertically in the client
area.
1779  *
1780  * PARAMETER(S):
1781  * [I] infoPtr : valid pointer to the listview structure
1782  *
1783  * RETURN:
1784  * Number of items per row.
1785  */
1786 static inline INT LISTVIEW_GetCountPerRow(const LISTVIEW_INFO *infoPtr)
1787 {
1788     INT nListWidth = infoPtr->rcList.right - infoPtr->rcList.left;
1789 
1790     return max(nListWidth/(infoPtr->nItemWidth ? infoPtr->nItemWidth : 1),
1);
1791 }
--- snip ---

ProtectionID scan for documentation:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\Program Files\IObit\Advanced SystemCare 6\ASC.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 4057920 (03DEB40h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x521C5412 -> Tue 27th Aug 2013 07:24:02 (GMT)
[TimeStamp] 0x521C5412 -> Tue 27th Aug 2013 07:24:02 (GMT) | PE Header | - |
Offset: 0x00000108 | VA: 0x00400108 | -
-> File Appears to be Digitally Signed @ Offset 03DD200h, size : 01940h / 06464
byte(s)
[File Heuristics] -> Flag #1 : 00000000000001001100000000100101 (0x0004C025)
[Entrypoint Section Entropy] : 5.92 (section #1) ".itext  " | Size : 0x1A60
(6752) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 7 (0x7) | ImageSize 0x3E4000 (4079616) byte(s)
[VersionInfo] Company Name : IObit
[VersionInfo] Product Name : Advanced SystemCare 6
[VersionInfo] Product Version : 6.4
[VersionInfo] File Description : Advanced SystemCare 6
[VersionInfo] File Version : 6.4.0.292
[VersionInfo] Original FileName : ASC.exe
[VersionInfo] Internal Name : ASC
[VersionInfo] Legal Trademarks : IObit
[VersionInfo] Legal Copyrights : Copyright© 2005-2013
[ModuleReport] [IAT] Modules -> rtl120.bpl | kernel32.dll | kernel32.dll |
madExcept_.bpl | user32.dll | msimg32.dll | gdi32.dll | version.dll | mpr.dll |
kernel32.dll | advapi32.dll | rtl120.bpl | madBasic_.bpl | madBasic_.bpl |
madExcept_.bpl | madDisAsm_.bpl | madExcept_.bpl | shell32.dll | shell32.dll |
URLMON.DLL | rtl120.bpl | ole32.dll | wininet.dll | comctl32.dll |
madExcept_.bpl | madExcept_.bpl | madExcept_.bpl | madExcept_.bpl | vcl120.bpl
| rtl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl | kernel32.dll | rtl120.bpl
| rtl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl |
rtl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl | rtl120.bpl |
rtl120.bpl | vcl120.bpl | vcl120.bpl | rtl120.bpl | vcl120.bpl | rtl120.bpl |
rtl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl | rtl120.bpl | vcl120.bpl |
vcl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl | vcl120.bpl |
vcl120.bpl | vcl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl | rtl120.bpl |
vcl120.bpl | winmm.dll | rtl120.bpl | rtl120.bpl | rtl120.bpl | ole32.dll |
shell32.dll | vclx120.bpl | advapi32.dll | vclx120.bpl | webres.dll |
rtl120.bpl | datastate.dll | PowerConfig.dll | Scan.dll | cabinet.dll |
vcl120.bpl | ole32.dll | sdlib.dll | sdcore.dll | sqlite3.dll | kernel32.dll |
shell32.dll | vcl120.bpl
[CdKeySerial] found "Invalid code" @ VA: 0x00224A37 / Offset: 0x00222E37
[CompilerDetect] -> Borland Delphi (unknown version) - 80% probability
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 1.451 Second(s) [00000060Dh (1549) tick(s)] [506 of 580 scan(s)
done]
--- snip ---

$ sha1sum advanced-systemcare-free-6-4-0-es-en-br-fr-de-it-win.exe 
8535ed1ab74d7b9547c7d47e75b9159076527253 
advanced-systemcare-free-6-4-0-es-en-br-fr-de-it-win.exe

$ du -sh advanced-systemcare-free-6-4-0-es-en-br-fr-de-it-win.exe 
23M    advanced-systemcare-free-6-4-0-es-en-br-fr-de-it-win.exe

$ wine --version
wine-3.18

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list