[Bug 49062] New: Dolphin EasyReader for Windows 6.04 (TTS app) crashes on startup

Thu Apr 30 14:01:36 CDT 2020

https://bugs.winehq.org/show_bug.cgi?id=49062

            Bug ID: 49062
           Summary: Dolphin EasyReader for Windows 6.04 (TTS app) crashes
                    on startup
           Product: Wine
           Version: 5.7
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mshtml
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

found a crash report by a user (pastebin) but can't remember where it was
linked from/mentioned. WineHQ forums maybe?

https://pastebin.com/1ShBrrDs

Vendor website:

https://yourdolphin.com/en-gb/support/legacy-demos ("EasyReader for Windows
6.04 Legacy Downloads")

Download:

https://yourdolphin.com/downloads/product?demo=true&lid=1&pvid=9 

https://web.archive.org/web/20200430183420/https://yourdolphin.com/downloads/product?demo=true&lid=1&pvid=9

Trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/Dolphin/EasyReader604

$ WINEDEBUG=+seh,+relay,+mshtml,+ieframe wine ./Dolphin\ EasyReader.exe
>>log.txt 2>&1
...
003f:trace:ieframe:WebBrowser_get_Document (02831D18)->(0032D4B0)
003f:trace:mshtml:HTMLDocumentObj_QueryInterface (0284F3D8)->(IID_IDispatch
0032D480)
003f:trace:mshtml:HTMLDocumentObj_AddRef (0284F3D8) ref = 3
003f:trace:mshtml:HTMLDocumentObj_QueryInterface
(0284F3D8)->(IID_IHTMLDocument2 0032D47C)
003f:trace:mshtml:HTMLDocumentObj_AddRef (0284F3D8) ref = 4
003f:trace:mshtml:HTMLDocumentObj_Release (0284F3D8) ref = 3
003f:trace:mshtml:HTMLDocumentObj_QueryInterface
(0284F3D8)->(IID_IHTMLDocument2 0032D4AC)
003f:trace:mshtml:HTMLDocumentObj_AddRef (0284F3D8) ref = 4
003f:Call oleaut32.VariantInit(0032d4b8) ret=0044d38e
003f:Ret  oleaut32.VariantInit() retval=01bd4080 ret=0044d38e
003f:trace:mshtml:HTMLDocument_get_bgColor (0284F3D8)->(0032D4B8)
003f:trace:mshtml:HTMLDocument_get_body (0284F3D8)->(0032D480)
003f:trace:mshtml:HTMLDOMNode_AddRef (06584328) ref=4
003f:trace:mshtml:HTMLDOMNode_AddRef (06584328) ref=5
003f:trace:mshtml:HTMLDOMNode_Release (06584328) ref=4
003f:trace:mshtml:HTMLBodyElement_QI (06584328)->(IID_IHTMLBodyElement
0032D47C)
003f:trace:mshtml:HTMLDOMNode_AddRef (06584328) ref=5
003f:trace:mshtml:HTMLBodyElement_get_bgColor (06584328)->(0032D4B8)
003f:trace:mshtml:HTMLDOMNode_Release (06584328) ref=4
003f:trace:mshtml:HTMLDOMNode_Release (06584328) ref=3
003f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x402c80 ip=00402c80
tid=003f
003f:trace:seh:raise_exception  info[0]=00000000
003f:trace:seh:raise_exception  info[1]=00000000
003f:trace:seh:raise_exception  eax=00000000 ebx=00000000 ecx=00000000
edx=00000000 esi=0032d570 edi=00000002
003f:trace:seh:raise_exception  ebp=0032d5a4 esp=0032d490 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
003f:trace:seh:call_vectored_handlers calling handler at 0x6ca5bba0
code=c0000005 flags=0
003f:trace:seh:call_vectored_handlers handler at 0x6ca5bba0 returned 0
003f:trace:seh:call_vectored_handlers calling handler at 0x661e99a0
code=c0000005 flags=0
003f:trace:seh:call_vectored_handlers handler at 0x661e99a0 returned 0
003f:trace:seh:call_vectored_handlers calling handler at 0x70aa8710
code=c0000005 flags=0
003f:trace:seh:call_vectored_handlers handler at 0x70aa8710 returned 0
003f:trace:seh:call_stack_handlers calling handler at 0x7e0609 code=c0000005
flags=0
003f:Call KERNEL32.GetLastError() ret=0067247d
003f:Ret  KERNEL32.GetLastError() retval=00000000 ret=0067247d
003f:trace:seh:call_stack_handlers handler at 0x7e0609 returned 1  
--- snip ---

The app code:

--- snip ---
0044D383 | lea ecx,dword ptr ss:[esp+1C]      |
0044D387 | push ecx                           |
0044D388 | call dword ptr ds:[<&VariantInit>] |
0044D38E | mov eax,dword ptr ss:[esp+10]      |
0044D392 | mov edx,dword ptr ds:[eax]         |
0044D394 | mov edx,dword ptr ds:[edx+74]      |
0044D397 | lea ecx,dword ptr ss:[esp+1C]      |
0044D39B | push ecx                           |
0044D39C | push eax                           |
0044D39D | call edx                           | HTMLDocument_get_bgColor
0044D39F | mov ax,word ptr ss:[esp+1C]        |
0044D3A4 | cmp ax,8                           | vt == VT_BSTR?
0044D3A8 | jne dolphin easyreader.44D4DC      |
0044D3A8 | jne dolphin easyreader.44D4DC      |
0044D3AE | mov eax,dword ptr ss:[esp+24]      | val
0044D3B2 | lea ecx,dword ptr ss:[esp+D4]      |
0044D3B9 | call dolphin easyreader.402C60     | *crash proc*
0044D3BE | mov dword ptr ss:[esp+100],ebx     |
0044D3C5 | cmp dword ptr ss:[esp+E8],ebx      |
0044D3CC | jbe dolphin easyreader.44D4C3      |
...
00402C60 | push esi                           |
00402C61 | mov esi,ecx                        |
00402C63 | xor ecx,ecx                        |
00402C65 | mov dword ptr ds:[esi+18],7        |
00402C6C | mov dword ptr ds:[esi+14],0        |
00402C73 | mov word ptr ds:[esi+4],cx         |
00402C77 | mov ecx,eax                        |
00402C79 | push edi                           |
00402C7A | lea edi,dword ptr ds:[ecx+2]       |
00402C7D | lea ecx,dword ptr ds:[ecx]         | *boom*
00402C80 | mov dx,word ptr ds:[ecx]           |
00402C83 | add ecx,2                          |
00402C86 | test dx,dx                         |
00402C89 | jne dolphin easyreader.402C80      |
00402C8B | sub ecx,edi                        |
00402C8D | sar ecx,1                          |
00402C8F | push ecx                           |
00402C90 | call dolphin easyreader.403590     |
00402C95 | pop edi                            |
00402C96 | mov eax,esi                        |
00402C98 | pop esi                            |
00402C99 | ret                                |
...
--- snip ---

--- snip ---
$+1C    0031D5F8   00000008 ; vt = VT_BSTR, wReserved1
$+20    0031D5FC   0031D620 ; wReserved2, wReserved3
$+24    0031D600   00000000 ; value = NULL
--- snip ---

Looks like the app gets a NULL bstr from 'HTMLBodyElement::get_bgColor'. The
app code doesn't really do error checking, except for vt == 8 (VT_BSTR) and
accesses variant value (BSTR) directly. I would have expected at least an empty
bstr since the property/method returned S_OK.

https://source.winehq.org/git/wine.git/blob/cf8a6eb2769d2c4ba5bb837d29db89f6b88706ae:/dlls/mshtml/htmlbody.c#l407

--- snip ---
 407 static HRESULT WINAPI HTMLBodyElement_get_bgColor(IHTMLBodyElement *iface,
VARIANT *p)
 408 {
 409     HTMLBodyElement *This = impl_from_IHTMLBodyElement(iface);
 410     nsAString strColor;
 411     nsresult nsres;
 412     HRESULT hres;
 413 
 414     TRACE("(%p)->(%p)\n", This, p);
 415 
 416     nsAString_Init(&strColor, NULL);
 417     nsres = nsIDOMHTMLBodyElement_GetBgColor(This->nsbody, &strColor);
 418     if(NS_SUCCEEDED(nsres)) {
 419         const PRUnichar *color;
 420 
 421         nsAString_GetData(&strColor, &color);
 422         V_VT(p) = VT_BSTR;
 423         hres = nscolor_to_str(color, &V_BSTR(p));
 424     }else {
 425         ERR("SetBgColor failed: %08x\n", nsres);
 426         hres = E_FAIL;
 427     }
 428 
 429     nsAString_Finish(&strColor);
 430     return hres;
 431 }
--- snip ---

'nsIDOMHTMLBodyElement_GetBgColor' obviously succeeded.

https://source.winehq.org/git/wine.git/blob/cf8a6eb2769d2c4ba5bb837d29db89f6b88706ae:/dlls/mshtml/htmlbody.c#l185

https://source.winehq.org/git/wine.git/blob/cf8a6eb2769d2c4ba5bb837d29db89f6b88706ae:/dlls/mshtml/htmlbody.c#l130

While at it, small thing: trace messages for 'get_bgColor' refer to
'SetBgColor'. Probably copy/pasta.

$ sha1sum EasyReader_for_Windows_6.04_English_\(United_Kingdom\)_DEMO.exe 
19d0911a8b05bb0966ce80e2c0e62c48cd039c2c 
EasyReader_for_Windows_6.04_English_(United_Kingdom)_DEMO.exe

$ du -sh EasyReader_for_Windows_6.04_English_\(United_Kingdom\)_DEMO.exe 
104M    EasyReader_for_Windows_6.04_English_(United_Kingdom)_DEMO.exe

$ wine --version
wine-5.7-118-gcf8a6eb276

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.