[Bug 48798] RegCloseKey: Uninitialized read from get_language_sort
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Mar 24 13:13:30 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=48798
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Regression SHA1| |b780e5f5b1bd018629bfa31431e
| |216c7579fe9aa
CC| |focht at gmx.net
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
Keywords| |regression
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
I was about to create a bug report myself since I encountered weird app/game
crashes and traced it back to this problem. Didn't find it via Bugzilla
regression sha1 search but fortunately 'get_language_sort' showed up in bug
list while typing the summary ;-)
Encountered while checking bug 38741 ("Assetto Corsa (Steam) Launcher (.NET 4.0
app) crashes on startup")
Prerequisite: 'winetricks -q dotnet40'
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Games/Assetto Corsa
$ WINEDEBUG=+seh,+relay,+wincodecs,+reg,+server wine
./AssettoCorsa_Launcher.exe >>log_server.txt 2>&1
...
002d:Call
windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0533311c,05332848,0032eb68,00000000,0032eb78)
ret=15b83331
002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream
(0x5333118,0x5332848,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78)
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = 0 { hkey=003c }
002d:trace:reg:open_key <- 0x3c
002d:Ret ntdll.NtOpenKeyEx() retval=00000000 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(00000000) ret=7b0325d2
002d:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=7b0325d2
002d:Ret advapi32.RegOpenKeyExW() retval=00000000 ret=78f6a7b0
...
002d:Call windowscodecs.WICCreateImagingFactory_Proxy(00000236,0dfe6090)
ret=15b83010
002d:trace:wincodecs:WICCreateImagingFactory_Proxy 236, 0xdfe6090
002d:trace:wincodecs:ImagingFactory_CreateInstance
({ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090)
002d:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=78f64726
002d:Ret ntdll.RtlAllocateHeap() retval=0532d320 ret=78f64726
002d:trace:wincodecs:ImagingFactory_QueryInterface
(0x532d320,{ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090)
002d:trace:wincodecs:ImagingFactory_AddRef (0x532d320) refcount=2
002d:trace:wincodecs:ImagingFactory_Release (0x532d320) refcount=1
002d:Ret windowscodecs.WICCreateImagingFactory_Proxy() retval=00000000
ret=15b83010
002d:Call
windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0532d324,05352598,0032eb68,00000000,0032eb78)
ret=15b83331
002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream
(0x532d320,0x5352598,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78)
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
002d:Ret ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2
002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2
002d:Ret advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
002d:Ret ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2
002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2
002d:Ret advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0
002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream failed to load from
a stream 0x80070006
002d:trace:wincodecs:IWICStreamImpl_Seek (0x5352598, 0, 0, (nil))
002d:trace:wincodecs:StreamOnMemory_Seek (0x534ff48, 0, 0, (nil))
002d:trace:wincodecs:IWICStreamImpl_Read (0x5352598, 0x32e9cc, 4, 0x32e9c8)
002d:trace:wincodecs:StreamOnMemory_Read (0x534ff48, 0x32e9cc, 4, 0x32e9c8)
002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream first 4 bytes of
stream=89 50 4e 47
002d:Ret windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy()
retval=80070006 ret=15b83331
...
System.Windows.Markup.XamlParseException: Provide value on
'System.Windows.Baml2006.TypeConverterMarkupExtension' threw an exception. --->
System.Runtime.InteropServices.COMException: Invalid handle. (Exception from
HRESULT: 0x80070006 (E_HANDLE))
at
System.Windows.Media.Imaging.BitmapDecoder.SetupDecoderFromUriOrStream(Uri uri,
Stream stream, BitmapCacheOption cacheOption, Guid& clsId, Boolean&
isOriginalWritable, Stream& uriStream, UnmanagedMemoryStream&
unmanagedMemoryStream, SafeFileHandle& safeFilehandle)
at System.Windows.Media.Imaging.BitmapDecoder.CreateFromUriOrStream(Uri
baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions,
BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy, Boolean
insertInDecoderCache)
at System.Windows.Media.Imaging.BitmapFrame.CreateFromUriOrStream(Uri
baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions,
BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy)
at
System.Windows.Media.ImageSourceConverter.ConvertFrom(ITypeDescriptorContext
context, CultureInfo culture, Object value)
at
System.Windows.Baml2006.TypeConverterMarkupExtension.ProvideValue(IServiceProvider
serviceProvider)
at
MS.Internal.Xaml.Runtime.ClrObjectRuntime.CallProvideValue(MarkupExtension me,
IServiceProvider serviceProvider)
--- End of inner exception stack trace ---
at System.Windows.Markup.XamlReader.RewrapException(Exception e,
IXamlLineInfo lineInfo, Uri baseUri)
at System.Windows.Markup.WpfXamlLoader.Load(XamlReader xamlReader,
IXamlObjectWriterFactory writerFactory, Boolean skipJournaledProperties, Object
rootObject, XamlObjectWriterSettings settings, Uri baseUri)
at System.Windows.Markup.WpfXamlLoader.LoadBaml(XamlReader xamlReader,
Boolean skipJournaledProperties, Object rootObject, XamlAccessLevel
accessLevel, Uri baseUri)
at System.Windows.Markup.XamlReader.LoadBaml(Stream stream, ParserContext
parserContext, Object parent, Boolean closeStream)
at System.Windows.Application.LoadComponent(Object component, Uri
resourceLocator)
at AC.Launcher.MainWindow.InitializeComponent()
at AC.Launcher.MainWindow..ctor(Boolean softwaremode)
at AC.Launcher.Startup.Main(String[] args)
--- snip ---
Why would such thing fail on wineserver side:
--- snip ---
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
--- snip ---
Going back in time and find this:
--- snip ---
002d:Call KERNEL32.LCMapStringEx(01941620 L"",00000100,01a3a37c
L"0",00000001,01a3a38c,00000001,00000000,00000000,00000000) ret=7916d04d
002d:Call ntdll.memcmp(7b059070,00aa05d4,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa0328,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa01c0,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa010c,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa00c4,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa00a0,00000010) ret=7b01fc72
002d:Ret ntdll.memcmp() retval=00000000 ret=7b01fc72
002d:Call ntdll.NtClose(05002f2b) ret=7b033207
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
002d:Ret ntdll.NtClose() retval=c0000008 ret=7b033207
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b03320e
002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b03320e
002d:Ret KERNEL32.LCMapStringEx() retval=00000001 ret=7916d04d
--- snip ---
Yikes. Taking random data and pass it to NtClose().
What could possibly go wrong. Many things ;-)
--- snip ---
$ egrep -B1 "002d:.*close_handle\(\) = INVALID_HANDLE.*" log_server.txt
002d: close_handle( handle=a99830 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1302 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1302 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32c6b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32c6a8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=7bce8a74 )
002d: close_handle() = INVALID_HANDLE
--
...
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32ebb4 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1991ac8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32e8b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=79142ec3 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
...
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32e8b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=79142ec3 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1611658 )
002d: close_handle() = INVALID_HANDLE
--- snip ---
Regression introduced by
https://source.winehq.org/git/wine.git/commitdiff/b780e5f5b1bd018629bfa31431e216c7579fe9aa
("kernelbase: Use linguistic case table for LCMAP_LINGUISTIC_CASING.")
https://source.winehq.org/git/wine.git/blob/84cca2baae23c6afa0c8070f5009fdcfa218e039:/dlls/kernelbase/locale.c#l655
--- snip ---
655 static const struct sortguid *get_language_sort( const WCHAR *locale )
656 {
657 WCHAR *p, *end, buffer[LOCALE_NAME_MAX_LENGTH], guidstr[39];
658 const struct sortguid *ret;
659 UNICODE_STRING str;
660 GUID guid;
661 HKEY key;
662 DWORD size, type;
663
664 if (locale == LOCALE_NAME_USER_DEFAULT)
665 {
666 if (current_locale_sort) return current_locale_sort;
667 GetUserDefaultLocaleName( buffer, ARRAY_SIZE( buffer ));
668 }
669 else lstrcpynW( buffer, locale, LOCALE_NAME_MAX_LENGTH );
670
671 if (buffer[0] && !RegOpenKeyExW( nls_key, L"Sorting\\Ids", 0,
KEY_READ, &key ))
672 {
673 for (;;)
674 {
675 size = sizeof(guidstr);
676 if (!RegQueryValueExW( key, buffer, NULL, &type, (BYTE
*)guidstr, &size ) && type == REG_SZ)
677 {
678 RtlInitUnicodeString( &str, guidstr );
679 if (!RtlGUIDFromString( &str, &guid ))
680 {
681 ret = find_sortguid( &guid );
682 goto done;
683 }
684 break;
685 }
686 for (p = end = buffer; *p; p++) if (*p == '-' || *p == '_')
end = p;
687 if (end == buffer) break;
688 *end = 0;
689 }
690 }
691 ret = find_sortguid( &default_sort_guid );
692 done:
693 RegCloseKey( key );
694 return ret;
695 }
--- snip ---
Ideally we want to fix this ASAP, before the next Wine 5.5 release!
Otherwise expect quite a number of bug reports with all kinds of weird
crashes/app/game behaviour.
$ wine --version
wine-5.4-255-g00e55c8fc0
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list