[Bug 34021] New: IE8 crashes badly when navigating to www.microsoft.com
http://bugs.winehq.org/show_bug.cgi?id=34021 Bug #: 34021 Summary: IE8 crashes badly when navigating to www.microsoft.com Product: Wine Version: 1.6-rc4 Platform: x86-64 URL: http://download.microsoft.com/download/C/C/0/CC0BD555- 33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe OS/Version: Linux Status: NEW Keywords: download Severity: minor Priority: P2 Component: wininet AssignedTo: wine-bugs(a)winehq.org ReportedBy: kennybobs(a)o2.co.uk Classification: Unclassified Created attachment 45209 --> http://bugs.winehq.org/attachment.cgi?id=45209 wine-1.6-rc4-122-g104adb7 console output (caught by redirects) Working around Bug 25648, "wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe www.microsoft.com" crashes out badly. See logs. However, workaround is supplied wininet (and urlmon - unimplemented function). -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34021 --- Comment #1 from Ken Sharp <kennybobs(a)o2.co.uk> 2013-07-12 14:57:32 CDT --- Created attachment 45210 --> http://bugs.winehq.org/attachment.cgi?id=45210 wine-1.6-rc4-122-g104adb7 trace (not caught by redirects) *** stack smashing detected ***: /home/test/.wine/drive_c/Program Files/Internet Explorer/iexplore.exe terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xf744f0e5] /lib/i386-linux-gnu/libc.so.6(+0x10409a)[0xf744f09a] /home/test/chrootprecisei386/usr/local/bin/../lib/wine/wininet.dll.so(+0x501a4)[0x7e21d1a4] /home/test/chrootprecisei386/usr/local/bin/../lib/wine/wininet.dll.so(+0x4aff6)[0x7e217ff6] [0x67414141] -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34021 --- Comment #2 from Austin English <austinenglish(a)gmail.com> 2013-10-16 03:05:22 CDT --- Works fine here with winetricks ie8 and wine-1.7.4. Please retest. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |focht(a)gmx.net --- Comment #3 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, confirming. You don't even need IE8 install for that, just visit 'www.microsoft.com' with builtin. Looks like a classic buffer overflow to me (overly long jscript URI): --- snip --- $ wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe www.microsoft.com ... 004a:trace:wininet:urlcache_encode_url L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... ... 004a:trace:wininet:InternetCrackUrlW (L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... 0 0 0x53cc434) ... 004a:trace:wininet:InternetCrackUrlA "http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."...: scheme((null)) host((null)) path("/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAA"...) extra((null)) 004a:Call ntdll.RtlFreeHeap(00110000,00000000,068c2e40) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf749afc6 ip=f749afc6 tid=004a 004a:trace:seh:raise_exception info[0]=00000000 004a:trace:seh:raise_exception info[1]=754f6d64 004a:trace:seh:raise_exception eax=00000000 ebx=f77b9000 ecx=00000024 edx=754f6d64 esi=f77ac3b5 edi=754f6d64 004a:trace:seh:raise_exception ebp=053cbf58 esp=053cbf24 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210283 --- snip --- --- snip --- ... =>0 0x7e31732c urlcache_entry_create+0x1dd(url=*** invalid address 0x754f6d64 ***, ext=*** invalid address 0x4e644a77 ***, full_path=*** invalid address 0x41414167 ***) [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet (0x0186c4c8) 0x7e31732c urlcache_entry_create+0x1dd [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet: movb $0x0,0xfffffe88(%ebp,%eax,1) 2661 file_name[e-p] = 0; ... Wine-dbg>info locals 0x7e31732c urlcache_entry_create+0x1dd: (0186c4c8) char* url=*** invalid address 0x754f6d64 *** (parameter [EBP+8]) char* ext=*** invalid address 0x4e644a77 *** (parameter [EBP+12]) WCHAR* full_path=*** invalid address 0x41414167 *** (parameter [EBP+16]) cache_container* container=0x67414141 (local [EBP-116]) urlcache_header* header=0x41414141 (local [EBP-64]) char --none--[260] file_name="??..." (local [EBP-376]) WCHAR --none--[260] extW={ ... } BYTE cache_dir='K' (local [EBP-9]) LONG full_path_len=0x7e332000 (local [EBP-900]) BOOL generate_name=0x6e4a3163 (local [EBP-16]) DWORD error=0x59534249 (local [EBP-60]) HANDLE file=0x67414141 (local [EBP-84]) FILETIME ft={dwLowDateTime=0x7ffdf000, dwHighDateTime=0x3a} (local [EBP-908]) URL_COMPONENTSA uc={dwStructSize=0x3c, lpszScheme=0x0(nil), dwSchemeLength=0, nScheme=INTERNET_SCHEME_HTTP, lpszHostName=0x0(nil), dwHostNameLength=0, nPort=0x50, lpszUserName=0x0(nil), dwUserNameLength=0, lpszPassword=0x0(nil), dwPasswordLength=0, lpszUrlPath="/ots/ots/js-3.2/311121/WT34_YlVgAAAIAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAAAgIhIhm4AAACAAAAAgLesOJP0xZK8AAAAgAAAAIBSYgEufY02RClpEpguMDgyAAAAgAAAAIAAAACAFi9Yvc1Jn5bfKYotAAAAgAAAAIDMzdmOuwJdNgAAAIAAAACAAAAAgGt4p68AAACAAAAAgAAAAIAGEuJOAAAAgDT88Qph1iZjAAAAgAAAAIAAAACAwekvMllRApWPMkafAAAAgGlpFwoAAACA2ae0vOA6CMwAAACAAAAAgAAAAIA5Crrj9yQOlAAAAIChdS83Hun-FLZreKpYzh1WAAAAgAAAAIAAAACAAAAAgKNnaMAAAACAAAAAgAAAAIAAAACAAAAAgK6wit6ZbT5YADjM7PZ9HAwAAACAAAAAgAAAAIDSLxBzAAAAgAAAAIAAAACAAAAAgCFr9bLnZZhrsoW9flhoZJOTBp2opVM2jAAAAIAAAACAiib0WXNnZtxbyXH-AAAAgAAAAIAAAACAAAAAgAAAAIB8HVjhAAAAgAAAAIDS7S44JiGQeQAAAICertkUAAAAgAAAAICaHYGrAAAAgAAAAIAAAACALgPnYAAAAIBtVpJNAAAAgJmBep8AAACAAAAAgAQ6EPMAAACAAAAAgAAAAIAAAACAAAAAgAAAAIDGDv_8AAAAgAAAAIAAAACA4mBgxyJZXp7vAmZI2x8Gf65I8BVu9zQkAAAAgAAAAIAAAACAEiqh5pN_e_gAAACAzAlu5", dwUrlPathLength=0x666, lpszExtraInfo=0x0(nil), dwExtraInfoLength=0} (local [EBP-968]) int i=0x76593969 (local [EBP-20]) char* p=*** invalid address 0x46414341 *** (local [EBP-24]) char* e=*** invalid address 0x41414149 *** (local [EBP-28]) --- snip -- $ wine --version wine-1.7.13-100-gfcae016 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Simon <swdevelop1981(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |swdevelop1981(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Dmitry <mr_wire(a)mail.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mr_wire(a)mail.ru --- Comment #4 from Dmitry <mr_wire(a)mail.ru> --- Works fine both in builtin IE and in IE8 downloaded using winetricks. Using wine-1.7.25 at Mac OS X. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Ken Sharp <imwellcushtymelike(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #45209|0 |1 is obsolete| | Attachment #45210|0 |1 is obsolete| | --- Comment #5 from Ken Sharp <imwellcushtymelike(a)gmail.com> --- Created attachment 51684 --> https://bugs.winehq.org/attachment.cgi?id=51684 Wine 1.7.44 console output *** stack smashing detected ***: iexplore terminated Still present in Wine 1.7.44, though the backtrace is different. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Sebastian Lackner <sebastian(a)fds-team.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sebastian(a)fds-team.de -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 super_man(a)post.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man(a)post.com --- Comment #6 from super_man(a)post.com --- wine iexplore.exe www.microsoft.com (builtin ie). No crash. But the address seem to forward into some locale specific site. Also the site could have changed meanwhile. wine 1.9.9 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Jacek Caban <jacek(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jacek(a)codeweavers.com Fixed by SHA1| |1a738a556cf231a713c25b1d13d | |ecb202c77db90 Resolution|--- |FIXED --- Comment #7 from Jacek Caban <jacek(a)codeweavers.com> --- Long URLs are fixed in wininet for a long time. For comment 3 it was probably 1a738a556cf231a713c25b1d13decb202c77db90. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34021 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 4.10. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org