[Bug 50331] New: WISE-based installers may create paths with special characters such as colon ':' which are invalid on Windows (Mario Forever 5.0)

WineHQ Bugzilla wine-bugs at winehq.org
Mon Dec 14 15:13:00 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=50331

            Bug ID: 50331
           Summary: WISE-based installers may create paths with special
                    characters such as colon ':' which are invalid on
                    Windows (Mario Forever 5.0)
           Product: Wine
           Version: 6.0-rc2
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

while looking at bug 48895 I've noticed that the WISE-based installer creates a
directory structure/path which should not exist. Such paths would be invalid on
Windows.

Download:

https://web.archive.org/web/20111101054124/http://www.softendo.com/mario_games_4/Install_Mario_Forever_v5_0.exe

-- snip ---
$ ll .wine/drive_c/
total 24
drwxrwxr-x.  3 focht focht 4096 Dec 14 19:53  C:
drwxrwxr-x.  3 focht focht 4096 Dec 14 19:53  ProgramData
drwxrwxr-x.  6 focht focht 4096 Dec 14 19:52 'Program Files'
drwxrwxr-x.  7 focht focht 4096 Dec 14 19:53 'Program Files (x86)'
drwxrwxr-x.  4 focht focht 4096 Dec 14 19:53  users
drwxrwxr-x. 17 focht focht 4096 Dec 14 19:53  windows
--- snip ---

--- snip ---
$ tree .wine/drive_c/C:
.wine/drive_c/C:
└── users
    └── focht
        └── Temp
            └── INSTALL.LOG

3 directories, 1 file
--- snip ---

Yay.

'C:\\users\\focht\\Temp\\INSTALL.LOG' = ok 
'C:\\C:\\users\\focht\\Temp\\INSTALL.LOG' = invalid

--- snip ---
$ WINEDEBUG=+seh,+relay wine ./Install_Mario_Forever_v5_0.exe >>log.txt 2>&1
...
00dc:Call KERNEL32.CreateProcessA(00000000,00feb3a0 "\"C:\\Program Files
(x86)\\softendo.com\\Mario Forever 5.0\\Data\\Mario
Forever.exe\"",00000000,00000000,00000001,00000020,00000000,00000000,0031fa14,0031fa04)
ret=00402d64 
...
00dc:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=00402d64
...
0164:Call KERNEL32.CreateProcessA(0031fdb0
"C:\\users\\focht\\Temp\\GLB3623.tmp",0031f9a0
"C:\\users\\focht\\Temp\\GLB3623.tmp \x7f4736
C:\\PROG~5P2\\softendo.com\\MARI~UTU.0\\Data\\MARI~QXO.EXE",00000000,00000000,00000000,00000000,00000000,00000000,0031feb4,0031fef8)
ret=004011ca 
...
0164:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=004011ca
...
016c:Call KERNEL32.LoadLibraryA(0031fdec "C:\\users\\focht\\Temp\\GLC378f.tmp")
ret=0040264d
...
016c:Ret  PE DLL (proc=00BBA469,module=00BA0000
L"GLC378f.tmp",reason=PROCESS_ATTACH,res=00000000) retval=1
016c:Ret  ntdll.LdrLoadDll() retval=00000000 ret=7b01bdfc
016c:Call ntdll.RtlReleasePath(00183048) ret=7b01be33
016c:Ret  ntdll.RtlReleasePath() retval=00000001 ret=7b01be33
016c:Ret  KERNEL32.LoadLibraryA() retval=00ba0000 ret=0040264d
016c:Call KERNEL32.GetProcAddress(00ba0000,00405250 "WiseMain") ret=00402661
016c:Ret  KERNEL32.GetProcAddress() retval=00ba100f ret=00402661
016c:Call KERNEL32.GetProcAddress(00ba0000,00405240 "UpdateScreen")
ret=0040266e
016c:Ret  KERNEL32.GetProcAddress() retval=00bac865 ret=0040266e
016c:Call KERNEL32.GetProcAddress(00ba0000,00405230 "DisplayGraphics")
ret=0040267b
016c:Ret  KERNEL32.GetProcAddress() retval=00ba2a6f ret=0040267b
016c:Call KERNEL32.GetProcAddress(00ba0000,00405224 "DiskPrompt") ret=00402688
016c:Ret  KERNEL32.GetProcAddress() retval=00bad303 ret=00402688
016c:Call KERNEL32.GetProcAddress(00ba0000,00405218 "FileWrite") ret=00402695
016c:Ret  KERNEL32.GetProcAddress() retval=00bb4119 ret=00402695
016c:Call KERNEL32.GetProcAddress(00ba0000,0040520c "HandleFtp") ret=004026a2
016c:Ret  KERNEL32.GetProcAddress() retval=00bac84a ret=004026a2
...
016c:Call KERNEL32.lstrcpyA(011e1036,0031dad0 "%MAINDIR%") ret=00bb234b
016c:Ret  KERNEL32.lstrcpyA() retval=011e1036 ret=00bb234b
016c:Call KERNEL32.lstrcpyA(011eaf58,011c2db0 "C:\\users\\focht\\Temp")
ret=00bb2435
016c:Ret  KERNEL32.lstrcpyA() retval=011eaf58 ret=00bb2435
...
016c:Call KERNEL32.lstrcpyA(011b0ad8,001808a4 "%MAINDIR%\\INSTALL.LOG")
ret=00bab871
016c:Ret  KERNEL32.lstrcpyA() retval=011b0ad8 ret=00bab871
...
016c:Call KERNEL32.lstrlenA(011e1036 "%MAINDIR%") ret=00baae75
016c:Ret  KERNEL32.lstrlenA() retval=00000009 ret=00baae75
016c:Call KERNEL32.lstrlenA(0031f4a1 "\\INSTALL.LOG") ret=00baae7d
016c:Ret  KERNEL32.lstrlenA() retval=0000000c ret=00baae7d
016c:Call KERNEL32.lstrlenA(011eaf58 "C:\\C:\\users\\focht\\Temp") ret=00baae8d
016c:Ret  KERNEL32.lstrlenA() retval=00000016 ret=00baae8d
016c:Call KERNEL32.lstrlenA(011eaf58 "C:\\C:\\users\\focht\\Temp") ret=00baaeb9
016c:Ret  KERNEL32.lstrlenA() retval=00000016 ret=00baaeb9
...
016c:Call KERNEL32.lstrcpyA(0031f364,0031f498
"C:\\C:\\users\\focht\\Temp\\INSTALL.LOG") ret=00bacb03
016c:Ret  KERNEL32.lstrcpyA() retval=0031f364 ret=00bacb03
016c:Call user32.CharNextA(0031f364 "C:\\C:\\users\\focht\\Temp\\INSTALL.LOG")
ret=00bb699d
016c:Ret  user32.CharNextA() retval=0031f365 ret=00bb699d
016c:Call user32.CharNextA(0031f365 ":\\C:\\users\\focht\\Temp\\INSTALL.LOG")
ret=00bb699d
016c:Ret  user32.CharNextA() retval=0031f366 ret=00bb699d
016c:Call KERNEL32.CreateDirectoryA(0031f364 "C:",00000000) ret=00bac978
...
016c:Call ntdll.RtlNtStatusToDosError(c0000035) ret=7b013301
016c:Ret  ntdll.RtlNtStatusToDosError() retval=000000b7 ret=7b013301
016c:Ret  KERNEL32.CreateDirectoryA() retval=00000000 ret=00bac978
016c:Call user32.CharNextA(0031f367 "C:\\users\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f368 ret=00bac95f
016c:Call user32.CharNextA(0031f368 ":\\users\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f369 ret=00bac95f
016c:Call KERNEL32.CreateDirectoryA(0031f364 "C:\\C:",00000000) ret=00bac978
016c:Ret  KERNEL32.CreateDirectoryA() retval=00000001 ret=00bac978
016c:Call KERNEL32.lstrlenA(0031f23c "Made Dir: C:\\C:\r\n") ret=00bac9cc
...
016c:Call user32.CharNextA(0031f36a "users\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f36b ret=00bac95f
016c:Call user32.CharNextA(0031f36b "sers\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f36c ret=00bac95f
016c:Call user32.CharNextA(0031f36c "ers\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f36d ret=00bac95f
016c:Call user32.CharNextA(0031f36d "rs\\focht\\Temp\\INSTALL.LOG")
ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f36e ret=00bac95f
016c:Call user32.CharNextA(0031f36e "s\\focht\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f36f ret=00bac95f
016c:Call KERNEL32.CreateDirectoryA(0031f364 "C:\\C:\\users",00000000)
ret=00bac978
...
016c:Ret  KERNEL32.CreateDirectoryA() retval=00000001 ret=00bac978
016c:Call KERNEL32.lstrlenA(0031f23c "Made Dir: C:\\C:\\users\r\n")
ret=00bac9cc
...
016c:Call user32.CharNextA(0031f370 "focht\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f371 ret=00bac95f
016c:Call user32.CharNextA(0031f371 "ocht\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f372 ret=00bac95f
016c:Call user32.CharNextA(0031f372 "cht\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f373 ret=00bac95f
016c:Call user32.CharNextA(0031f373 "ht\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f374 ret=00bac95f
016c:Call user32.CharNextA(0031f374 "t\\Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f375 ret=00bac95f
016c:Call KERNEL32.CreateDirectoryA(0031f364 "C:\\C:\\users\\focht",00000000)
ret=00bac978
016c:Ret  KERNEL32.CreateDirectoryA() retval=00000001 ret=00bac978
016c:Call KERNEL32.lstrlenA(0031f23c "Made Dir: C:\\C:\\users\r\n")
ret=00bac9cc
...
016c:Call user32.CharNextA(0031f376 "Temp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f377 ret=00bac95f
016c:Call user32.CharNextA(0031f377 "emp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f378 ret=00bac95f
016c:Call user32.CharNextA(0031f378 "mp\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f379 ret=00bac95f
016c:Call user32.CharNextA(0031f379 "p\\INSTALL.LOG") ret=00bac95f
016c:Ret  user32.CharNextA() retval=0031f37a ret=00bac95f
016c:Call KERNEL32.CreateDirectoryA(0031f364
"C:\\C:\\users\\focht\\Temp",00000000) ret=00bac978
016c:Ret  KERNEL32.CreateDirectoryA() retval=00000001 ret=00bac978
016c:Call KERNEL32.lstrlenA(0031f23c "Made Dir: C:\\C:\\users\\focht\r\n")
ret=00bac9cc
...
016c:Call KERNEL32.SetFileAttributesA(0031f364
"C:\\C:\\users\\focht\\Temp\\INSTALL.LOG",00000000) ret=00bacb33
016c:Ret  KERNEL32.SetFileAttributesA() retval=00000000 ret=00bacb33
...
016c:Call KERNEL32.CreateFileA(0031f364
"C:\\C:\\users\\focht\\Temp\\INSTALL.LOG",40000000,00000000,00000000,00000003,00000080,00000000)
ret=00bb40c9
016c:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=00bb40c9
...
016c:Call KERNEL32.CreateFileA(0031f364
"C:\\C:\\users\\focht\\Temp\\INSTALL.LOG",40000000,00000000,00000000,00000002,00000080,00000000)
ret=00bb40c9
016c:Ret  KERNEL32.CreateFileA() retval=000000a8 ret=00bb40c9
--- snip ---

Content of the file:

--- snip ---
***  Installation Started 12/14/2020 22:00  ***
Title: Mario Forever Toolbar
Source: C:\users\focht\Temp\GLBe5e0.tmp | 12-14-2020 | 22:00:00 | 71680
--- snip ---

There is some brain damage in the Wise Installation Wizard helper module which
leads to the (invalid) path 'C:\\C:\\users\\focht\\Temp\\INSTALL.LOG' ->
installer bug.

Using that invalid path as input, the installer code will try to recursively
create the directory hierarchy. It forward-searches the path string for
backlash '\\' and temporarily puts a NULL-terminator in place of it. It then
calls 'CreateDirectoryA' on it. Afterwards it puts the backslash back and
searches further until the last backlash. See the trace log.

Although there is no limitation on Linux, Wine shouldn't allow the creation of
directories/paths which contain special characters such as colon ':' (drive
delimiter).

I've made this issue 'minor' for now because it doesn't affect the installer
itself. Regarding the log file content: nothing of value would be lost. The
browser toolbar (also search engine redirector) is garbage anyway. Borderline
malware.

$ sha1sum Install_Mario_Forever_v5_0.exe 
af961a2a63f1380731c0f9cb7dc8a0e1447b1618  Install_Mario_Forever_v5_0.exe

$ du -sh Install_Mario_Forever_v5_0.exe 
17M    Install_Mario_Forever_v5_0.exe

$ wine --version
wine-6.0-rc2

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list