[Bug 49116] New: Windows 10 1903 SDK (10.0.18362.0) installer crashes (method invocation on wrong CCW interface?)

WineHQ Bugzilla wine-bugs at winehq.org
Thu May 7 21:27:11 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=49116

            Bug ID: 49116
           Summary: Windows 10 1903 SDK (10.0.18362.0) installer crashes
                    (method invocation on wrong CCW interface?)
           Product: Wine
           Version: 5.7
          Hardware: x86
               URL: https://web.archive.org/web/20200215010843/https://dow
                    nload.microsoft.com/download/4/2/2/42245968-6A79-4DA7-
                    A5FB-08C0AD0AE661/windowssdk/winsdksetup.exe
                OS: Linux
            Status: NEW
          Keywords: download
          Severity: normal
          Priority: P2
         Component: mscoree
          Assignee: wine-bugs at winehq.org
          Reporter: z.figura12 at gmail.com
      Distribution: ---

It calls _AppDomain::CreateInstance() from unmanaged code to retrieve a COM
pointer to one of its own objects (specifically,
BootstrapperApplicationFactory, hosted in BootstrapperCore.dll), and then tries
to invoke a method on the object. The problem is that the method it invokes has
vtbl offset 0x38, but Mono gives us back what *seems* to be an IDispatch vtbl,
so it ends up invoking junk. This consistently results in an execute fault for
me.

Relevant disassembly, from mbahost.dll:

    1286:    8b 45 08                 >mov    eax, [ebp+08h]
    1289:    8d 55 fc                  lea    edx, [ebp-04h]
    128c:    52                        push    edx
    128d:    57                        push    edi
    128e:    53                        push    ebx
    128f:    8b 08                     mov    ecx, [eax]
    1291:    50                        push    eax
    1292:    ff 91 94 00 00 00         call    dword [ecx+00000094h] //
CreateInstance(), apparently
    1298:    8b f0                     mov    esi, eax
    129a:    85 f6                     test    esi, esi
    129c:    79 08                     jns    12a6    // jump if SUCCEEDED
    129e:    56                        push    esi
    129f:    68 1f 02 00 00            push    dword 0000021Fh
    12a4:    eb 48                     jmp    12ee
    12a6:    8b 45 fc                 >mov    eax, [ebp-04h]
    12a9:    8d 55 ec                  lea    edx, [ebp-14h]
    12ac:    52                        push    edx
    12ad:    50                        push    eax
    12ae:    8b 08                     mov    ecx, [eax]
    12b0:    ff 51 38                  call    dword [ecx+38h] // crashes

Presumably Mono is wrong in returning IDispatch here, but I'm not sure why, and
it's not clear what should be returned in its stead. The class in question
actually has a ClassInterfaceType of AutoDispatch, but maybe that doesn't
actually mean we should return IDispatch? But the CIL interface that class
explicitly implements, IBootstrapperApplicationFactory, only has one method, so
I'm not sure how an offset of 0x38 makes sense there either.

When I get the time I'll build and run a testcase...

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list