[Bug 48018] QuickTime 7.0.x installer fails, 'rundll32.exe "C:\Program Files (x86)\QuickTime\QTSystem\QTJava.dll,QTPostInstallProc"' crashes due to invalid cdecl dll entry
WineHQ Bugzilla
wine-bugs at winehq.org
Fri Jan 10 07:25:20 CST 2020
https://bugs.winehq.org/show_bug.cgi?id=48018
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
URL|http://www.oldversion.com/d |https://web.archive.org/web
|ownload/quicktime704.exe |/20110221145059/http://www.
| |oldversion.com/download/qui
| |cktime704.exe
Component|-unknown |programs
Resolution|FIXED |---
Status|RESOLVED |REOPENED
Summary|QuickTime 7.0.x installer |QuickTime 7.0.x installer
|fails |fails, 'rundll32.exe
| |"C:\Program Files
| |(x86)\QuickTime\QTSystem\QT
| |Java.dll,QTPostInstallProc"
| |' crashes due to invalid
| |cdecl dll entry
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
it crashes reliably for me in clean 64-bit WINEPREFIX.
--- snip ---
$ wine ./quicktime704.exe
...
wine: Unhandled page fault on read access to 00000002 at address 00000002
(thread 00ad:err:msi:execute_script Execution of script 0 halted; action
L"QTJava_QTPostInstallProc" returned 1627
00ad:err:msi:ITERATE_Actions Execution halted, action L"InstallFinalize"
returned 1627
...
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:00000002 ESP:0032fea0 EBP:00000000 EFLAGS:00010202( R- -- I - - - )
EAX:00000000 EBX:68033790 ECX:0032fce0 EDX:7e8b95c7
ESI:00607da2 EDI:00607dd8
...
Backtrace:
=>0 0x00000002 (0x00000000)
0x00000002: -- no code accessible --
Modules:
Module Address Debug info Name (54 modules)
PE 330000- 33c000 Deferred api-ms-win-crt-runtime-l1-1-0
PE 340000- 36f000 Deferred imm32
PE 400000- 41e000 Deferred rundll32
PE 750000- 839000 Deferred setupapi
PE 840000- 991000 Deferred rpcrt4
PE 10000000-10013000 Deferred version
PE 7b000000-7b1c1000 Deferred kernelbase
ELF 7b400000-7b670000 Deferred kernel32<elf>
\-PE 7b420000-7b670000 \ kernel32
ELF 7bc00000-7beb1000 Deferred ntdll<elf>
\-PE 7bc30000-7beb1000 \ ntdll
ELF 7c000000-7c004000 Deferred <wine-loader>
...
ELF 7e430000-7e54c000 Deferred ucrtbase<elf>
\-PE 7e460000-7e54c000 \ ucrtbase
ELF 7e54c000-7e623000 Deferred msvcrt<elf>
\-PE 7e570000-7e623000 \ msvcrt
ELF 7e623000-7e6a5000 Deferred advapi32<elf>
\-PE 7e640000-7e6a5000 \ advapi32
ELF 7e6a5000-7e7fa000 Deferred gdi32<elf>
\-PE 7e6c0000-7e7fa000 \ gdi32
ELF 7e7fa000-7ea2f000 Deferred user32<elf>
\-PE 7e820000-7ea2f000 \ user32
...
ELF f7d62000-f7f14000 Dwarf libwine.so.1
ELF f7f16000-f7f3f000 Deferred ld-linux.so.2
ELF f7f42000-f7f43000 Deferred [vdso].so
Threads:
process tid prio (all id:s are in hex)
...
0000005a QuickTimeInstaller.exe
0000006d 0
00000067 0
0000005b 0
0000005f IDriver.exe
000000c3 0
...
00000060 0
00000088 ISBEW64.exe
0000009b 0
...
00000089 0
0000008d rpcss.exe
00000097 0
...
0000008e 0
0000009e IDriverT.exe
000000a4 0
...
0000009f 0
000000ae msiexec.exe
000000c1 0
...
000000af 0
...
000000f2 (D) C:\windows\syswow64\rundll32.exe
000000f6 0
000000f3 0 <==
...
--- snip ---
Reduced case:
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem
$ wine "C:\\windows\\syswow64\\rundll32.exe" "C:\\Program Files
(x86)\\QuickTime\\QTSystem\\QTJava.dll,QTPostInstallProc"
--- snip ---
That dll entry is CDECL but it should be CALLBACK/stdcall. Also the arguments
don't seem to match. Standard entry point signature is:
--- snip ---
void CALLBACK
EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
--- snip ---
Depending on which toolchain Wine was built with it will crash or not.
LLVM-MinGW clang version 10.0.0 (https://github.com/llvm/llvm-project.git
c49194969430f0ee817498a7000a979a7a0ded03)
--- snip ---
00401440 55 PUSH EBP
00401441 89E5 MOV EBP,ESP
00401443 53 PUSH EBX
00401444 57 PUSH EDI
00401445 56 PUSH ESI
00401446 81EC 90010000 SUB ESP,190
0040144C 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]
...
00401B8A 0FB745 C0 MOVZX EAX,WORD PTR SS:[EBP-40]
00401B8E 50 PUSH EAX
00401B8F FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00401B92 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401B95 53 PUSH EBX
00401B96 FF55 EC CALL DWORD PTR SS:[EBP-14] ; QTJava.QTPostInstallProc
00401B99 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24] ; ---> imbalanced stack
00401B9C EB 1B JMP SHORT rundll32.00401BB9
...
00401BB9 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00401BBC 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
00401BBF FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00401BC2 6A 00 PUSH 0
00401BC4 FF70 18 PUSH DWORD PTR DS:[EAX+18]
00401BC7 E8 B0190000 CALL <JMP.&kernel32.HeapFree>
00401BCC 85DB TEST EBX,EBX
00401BCE 0F85 ACFBFFFF JNZ rundll32.00401780
...
00401799 57 PUSH EDI
0040179A 6A 00 PUSH 0
0040179C FF70 18 PUSH DWORD PTR DS:[EAX+18]
0040179F E8 D81D0000 CALL <JMP.&kernel32.HeapFree>
004017A4 31C0 XOR EAX,EAX
004017A6 81C4 90010000 ADD ESP,190
004017AC 5E POP ESI
004017AD 5F POP EDI
004017AE 5B POP EBX
004017AF 5D POP EBP
004017B0 C2 1000 RETN 10 ; ---> still imbalanced stack (16 bytes)
--- snip ---
-> crashes
GNU C11 7.3.0 20180125 (Fedora MinGW 7.3.0-1.fc28):
--- snip ---
004017F0 55 PUSH EBP
004017F1 89E5 MOV EBP,ESP
004017F3 57 PUSH EDI
004017F4 56 PUSH ESI
004017F5 53 PUSH EBX
004017F6 81EC CC010000 SUB ESP,1CC
...
004027DB 0FB785 A8FEFFFF MOVZX EAX,WORD PTR SS:[EBP-158]
004027E2 897424 08 MOV DWORD PTR SS:[ESP+8],ESI
004027E6 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
004027EA 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004027ED 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
004027F1 8B85 74FEFFFF MOV EAX,DWORD PTR SS:[EBP-18C]
004027F7 890424 MOV DWORD PTR SS:[ESP],EAX
004027FA 8B85 68FEFFFF MOV EAX,DWORD PTR SS:[EBP-198]
00402800 FFD0 CALL EAX ; QTJava.QTPostInstallProc
00402802 83EC 10 SUB ESP,10 ; ---> imbalanced stack
00402805 897424 08 MOV DWORD PTR SS:[ESP+8],ESI
00402809 C74424 04 0000. MOV DWORD PTR SS:[ESP+4],0
00402811 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
00402817 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
0040281A 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
0040281D 890424 MOV DWORD PTR SS:[ESP],EAX
00402820 E8 EB160000 CALL <JMP.&kernel32.HeapFree>
00402825 83EC 0C SUB ESP,0C
00402828 E9 02F3FFFF JMP rundll32.00401B2F
...
00401B7C 8D65 F4 LEA ESP,DWORD PTR SS:[EBP-C] ; <--- recover (!)
00401B7F 31C0 XOR EAX,EAX
00401B81 5B POP EBX
00401B82 5E POP ESI
00401B83 5F POP EDI
00401B84 5D POP EBP
00401B85 C2 1000 RETN 10
--- snip ---
It works here because the compiler-generated epilog code recovers from stack
imbalance.
Apparently this dll entry has been reported to crash on some older Windows
versions as well:
https://kenta.blogspot.com/2005/10/quicktime-windows.html
https://discussions.apple.com/thread/162021
Protection ID scan:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\Program Files (x86)\QuickTime\QTSystem\QTJava.dll
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 180224 (02C000h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x4398AC71 -> Thu 08th Dec 2005 21:58:09 (GMT)
[TimeStamp] 0x4398AC71 -> Thu 08th Dec 2005 21:58:09 (GMT) | PE Header | - |
Offset: 0x00000120 | VA: 0x68030120 | -
[TimeStamp] 0x430BC0EF -> Wed 24th Aug 2005 00:35:59 (GMT) | Export | - |
Offset: 0x0001B674 | VA: 0x6804B674 | -
[File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100)
[Entrypoint Section Entropy] : 6.45 (section #0) ".text " | Size : 0x17B78
(97144) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 5 (0x5) | ImageSize 0x2F000 (192512) byte(s)
[Export] 100% of function(s) (184 of 184) are in file | 0 are forwarded | 184
code | 0 data | 0 uninit data | 0 unknown |
[VersionInfo] Company Name : Apple Computer. Inc.
[VersionInfo] Product Name : QuickTime for Java
[VersionInfo] Product Version : 6.1.1
[VersionInfo] File Description : QTJava dll
[VersionInfo] File Version : 6.1.1
[VersionInfo] Original FileName : QTJava.dll
[VersionInfo] Internal Name : QTJAVADLL
[VersionInfo] Legal Copyrights : Copyright © 1999-2003 Apple Computer. Inc
[ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | ADVAPI32.dll
[CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.251 Second(s) [0000000FBh (251) tick(s)] [246 of 580 scan(s)
done]
--- snip ---
Tidbit:
https://tla.mpi.nl/topic/elan-and-quicktime-72-on-windows/
--- quote ---
– the QuickTime 7.2 distribution doesn’t contain the file QTJava.dll anymore.
This file has been part of QT for a long time and ELAN expects it to be
present. ELAN doesn’t handle it’s absence gracefully.
--- quote ---
If it doesn't crash on newer Windows version, Microsoft likely worked around
this Apple braindamage and other broken vendor dlls in 'rundll32'.
I suggest to introduce a wrapper here to ensure the return stack/epilog is
properly restored, regardless if the dll entry was stdcall or cdecl.
$ sha1sum quicktime704.exe
fadbddbccaad9b0e79a66231399a2ce6cfc5409d quicktime704.exe
$ du -sh quicktime704.exe
21M quicktime704.exe
$ wine --version
wine-5.0-rc4-72-g4f0212c4fd
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list