[Bug 51425] New: Mathearbeit G 5.6 installer reports null pointer exception in module 'shell32.dll' starting with Wine 6.9-142-g98d43c5dcfb

WineHQ Bugzilla wine-bugs at winehq.org
Thu Jul 8 06:21:20 CDT 2021 

https://bugs.winehq.org/show_bug.cgi?id=51425

            Bug ID: 51425
           Summary: Mathearbeit G 5.6 installer reports null pointer
                    exception in module 'shell32.dll' starting with Wine
                    6.9-142-g98d43c5dcfb
           Product: Wine
           Version: 6.12
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: shell32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

while revisiting bug 38740 ("Mathearbeit G 5.6 installer hangs during
installation (ShellFolder attributes for virtual folder 'CLSID_Printers', clsid
'{2227a280-3aea-1069-a2de-08002b30309d}' missing in registry)") to validate the
claim that the bug has been fixed I've found a regression which actually hides
the original bug.

Stable download link via Internet Archive:

https://web.archive.org/web/20210708082931/http://zahlenbasar.de/MA_DL/setupgs5_6.exe

--- snip ---
...
0118:trace:shell:_SHGetUserShellFolderPath
0x80000002,(null),L"{00000000-0000-0000-0000-000000000000}",0x32ea98
0118:Call advapi32.RegCreateKeyW(80000002,7daf0dc0
L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders",0032e18c) ret=7daa23be
...
0118:Ret  advapi32.RegCreateKeyW() retval=00000000 ret=7daa23be
0118:Call advapi32.RegCreateKeyW(80000002,7daf0d20
L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell
Folders",0032e188) ret=7daa23d8
...
0118:Ret  advapi32.RegCreateKeyW() retval=00000000 ret=7daa23d8
0118:Call advapi32.RegQueryValueExW(000000f0,0032e800
L"{00000000-0000-0000-0000-000000000000}",00000000,0032e190,0032ea98,0032e194)
ret=7daa2417
...
0118:Ret  advapi32.RegQueryValueExW() retval=00000002 ret=7daa2417
...
0118:trace:shell:_SHGetUserShellFolderPath returning 0x80004005
0118:trace:shell:_SHGetDefaultValue 0x45,0x32ea98
0118:trace:seh:dispatch_exception code=c0000005 flags=0 addr=7DAA0EA5
ip=7daa0ea5 tid=0118
0118:trace:seh:dispatch_exception  info[0]=00000000
0118:trace:seh:dispatch_exception  info[1]=00000000
0118:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception
(code=c0000005) raised
0118:trace:seh:dispatch_exception  eax=00000000 ebx=00000045 ecx=0032e354
edx=0032e37e esi=0032ea98 edi=00000000
0118:trace:seh:dispatch_exception  ebp=0032e7d8 esp=0032e7a0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0118:trace:seh:call_vectored_handlers calling handler at 7B00F750 code=c0000005
flags=0
0118:trace:seh:call_vectored_handlers handler at 7B00F750 returned 0
0118:trace:seh:call_stack_handlers calling handler at 004D512B code=c0000005
flags=0
0118:trace:seh:call_stack_handlers handler at 004D512B returned 1
0118:trace:seh:call_stack_handlers calling handler at 004E2570 code=c0000005
flags=0
0118:trace:seh:call_stack_handlers handler at 004E2570 returned 1
0118:trace:seh:call_stack_handlers calling handler at 0044B389 code=c0000005
flags=0
...
0118:Call user32.MessageBoxA(0001009a,02dbd314 "Zugriffsverletzung bei Adresse
7DAA0EA5 in Modul 'shell32.dll'. Lesen von Adresse 00000000.",013f5160
"MATHEARBEIT G Setup",00000010) ret=0045273f
...
--- snip ---

After dismissing the dialog, the installer runs further and indeed completes
without live-looping (copies files). Bug 38740 *appears* to be fixed but in
fact it's not.

Commit
https://source.winehq.org/git/wine.git/commitdiff/98d43c5dcfb28183667d874d4c07dfd9bb434149
("shell32: Calculate known folder paths from parent and relative path."), part
of Wine 6.10 release, introduced a regression which causes a NULL pointer
exception the reworked shell32 code.

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/shell32/shellpath.c#l2446

--- snip ---
2446     { /* 0x45 */
2447         &GUID_NULL,
2448         CSIDL_Type_User,
2449         NULL,
2450         DocumentsW
2451     },
--- snip ---

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/shell32/shellpath.c#l3470

--- snip ---
3470 /* Gets a 'semi-expanded' default value of the CSIDL with index folder
into
3471  * pszPath, based on the entries in CSIDL_Data.  By semi-expanded, I mean:
3472  * - Depending on the entry's type, the path may begin with an
(unexpanded)
3473  *   environment variable name.  The caller is responsible for expanding
3474  *   environment strings if so desired.
3475  *   The types that are prepended with environment variables are:
3476  *   CSIDL_Type_User:     %USERPROFILE%
3477  *   CSIDL_Type_AllUsers: %ALLUSERSPROFILE%
3478  *   CSIDL_Type_CurrVer:  %SystemDrive%
3479  *   (Others might make sense too, but as yet are unneeded.)
3480  */
3481 static HRESULT _SHGetDefaultValue(BYTE folder, LPWSTR pszPath)
3482 {
3483     HRESULT hr;
3484 
3485     TRACE("0x%02x,%p\n", folder, pszPath);
3486 
3487     if (folder >= ARRAY_SIZE(CSIDL_Data))
3488         return E_INVALIDARG;
3489 
3490     if (!pszPath)
3491         return E_INVALIDARG;
3492 
3493     if (!is_win64)
3494     {
3495         BOOL is_wow64;
3496 
3497         switch (folder)
3498         {
3499         case CSIDL_PROGRAM_FILES:
3500         case CSIDL_PROGRAM_FILESX86:
3501             IsWow64Process( GetCurrentProcess(), &is_wow64 );
3502             folder = is_wow64 ? CSIDL_PROGRAM_FILESX86 :
CSIDL_PROGRAM_FILES;
3503             break;
3504         case CSIDL_PROGRAM_FILES_COMMON:
3505         case CSIDL_PROGRAM_FILES_COMMONX86:
3506             IsWow64Process( GetCurrentProcess(), &is_wow64 );
3507             folder = is_wow64 ? CSIDL_PROGRAM_FILES_COMMONX86 :
CSIDL_PROGRAM_FILES_COMMON;
3508             break;
3509         }
3510     }
3511 
3512     if (IsEqualGUID(CSIDL_Data[folder].fidParent, &GUID_NULL))
3513     {
3514         /* hit the root, sub in env var */
3515         switch (CSIDL_Data[folder].type)
3516         {
3517             case CSIDL_Type_User:
3518                 strcpyW(pszPath, UserProfileW);
3519                 break;
3520             case CSIDL_Type_AllUsers:
3521                 strcpyW(pszPath, PublicProfileW);
3522                 break;
3523             case CSIDL_Type_ProgramData:
3524                 strcpyW(pszPath, ProgramDataVarW);
3525                 break;
3526             case CSIDL_Type_CurrVer:
3527                 strcpyW(pszPath, SystemDriveW);
3528                 break;
3529             default:
3530                 ; /* no corresponding env. var, do nothing */
3531         }
3532         hr = S_OK;
3533     }else{
3534         /* prepend with parent */
3535         hr =
_SHGetDefaultValue(csidl_from_id(CSIDL_Data[folder].fidParent), pszPath);
3536     }
3537 
3538     if (SUCCEEDED(hr))
3539         append_relative_path(folder, pszPath);
3540 
3541     TRACE("returning 0x%08x\n", hr);
3542     return hr;
3543 }
--- snip ---

Line 3512 -> 'fidParent' member is zero-init for 'CSIDL_Data' 0x45 folder
entry, causing null pointer exception.

After fixing the regression, the installer runs into bug 38740

$ sha1sum setupgs5_6.exe 
fbbbae71ce4214e3848ae29399fa3b271bd6763f  setupgs5_6.exe

$ du -sh setupgs5_6.exe 
5.8M    setupgs5_6.exe

$ wine --version
wine-6.12-125-g6763ed84cf0

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list