[Bug 34716] New: HippoAnimator3: Invalid name at installation startup
http://bugs.winehq.org/show_bug.cgi?id=34716 Bug #: 34716 Summary: HippoAnimator3: Invalid name at installation startup Product: Wine Version: 1.7.4 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs(a)winehq.org ReportedBy: lukasz.wojnilowicz(a)gmail.com Classification: Unclassified Created attachment 46286 --> http://bugs.winehq.org/attachment.cgi?id=46286 WINEDEBUG=+relay,+seh,+tid on Wine 1.7.4 Steps to reproduce: 1) remove ~/.wine 2) wine HippoAnimator3.exe Behaviour: Error message with "Invalid name" text. Expected behaviour: No error message. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 NSLW <lukasz.wojnilowicz(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer URL| |http://www.hippostudios.co/ | |Content/Files/Downloads/Hip | |poAnimator3.exe -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 Ricardo Vega <ricardoe(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ricardoe(a)gmail.com -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 --- Comment #1 from Ricardo Vega <ricardoe(a)gmail.com> 2013-11-12 15:02:28 CST --- +1, exact same bahavior using: wine-1.4.1 Ubuntu 13.04 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet Status|UNCONFIRMED |NEW CC| |focht(a)gmx.net Component|-unknown |kernel32 Summary|HippoAnimator3: Invalid |HippoAnimator3 fails on |name at installation |startup, complains 'Invalid |startup |name' (GetTempPathW on | |poisoned stack buffer) Ever Confirmed|0 |1 --- Comment #2 from Anastasius Focht <focht(a)gmx.net> 2013-11-12 17:46:13 CST --- Hello folks, confirming. Prerequisite: 'winetricks -q dotnet20' (if Mono is not installed) The installer writes a .NET app config file from its PE resource (good guy): --- snip --- 002b:Call KERNEL32.FindResourceW(00400000,0000006f,0040c89c L"BINARY") ret=00401431 002b:Ret KERNEL32.FindResourceW() retval=004161f0 ret=00401431 002b:Call KERNEL32.LoadResource(00000000,004161f0) ret=0040143d 002b:Ret KERNEL32.LoadResource() retval=00a63440 ret=0040143d 002b:Call KERNEL32.LockResource(00a63440) ret=00401444 002b:Ret KERNEL32.LockResource() retval=00a63440 ret=00401444 002b:Call KERNEL32.SizeofResource(00000000,004161f0) ret=0040144e 002b:Ret KERNEL32.SizeofResource() retval=000000db ret=0040144e 002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401464 002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401464 002b:Call KERNEL32.CreateDirectoryW(0033f5f4 L"C:\\users\\focht\\Temp\\",00000000) ret=00401473 002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401473 002b:Call KERNEL32.CreateFileW(0033ee24 L"C:\\users\\focht\\Temp\\HippoAnimator3Update.exe.config",40000000,00000000,00000000,00000002,00000080,00000000) ret=004014e6 002b:Ret KERNEL32.CreateFileW() retval=0000003c ret=004014e6 002b:Call KERNEL32.WriteFile(0000003c,00a63440,000000db,0033ee20,00000000) ret=004014f7 002b:Ret KERNEL32.WriteFile() retval=00000001 ret=004014f7 002b:Call KERNEL32.CloseHandle(0000003c) ret=004014fe 002b:Ret KERNEL32.CloseHandle() retval=00000001 ret=004014fe --- snip --- Next, an embedded PE binary should be written out the same way (bad guy): --- snip --- 002b:Call KERNEL32.FindResourceW(00400000,0000006e,0040c89c L"BINARY") ret=00401312 002b:Ret KERNEL32.FindResourceW() retval=004161e0 ret=00401312 002b:Call KERNEL32.LoadResource(00000000,004161e0) ret=0040131e 002b:Ret KERNEL32.LoadResource() retval=00470820 ret=0040131e 002b:Call KERNEL32.LockResource(00470820) ret=00401325 002b:Ret KERNEL32.LockResource() retval=00470820 ret=00401325 002b:Call KERNEL32.SizeofResource(00000000,004161e0) ret=0040132f 002b:Ret KERNEL32.SizeofResource() retval=005f2c20 ret=0040132f 002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401345 002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401345 002b:Call KERNEL32.CreateDirectoryW(0033f5f4 L"C:\\users\\focht\\Temp\\",00000000) ret=00401354 002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401354 002b:Call KERNEL32.CreateFileW(0033ee24 L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...,40000000,00000000,00000000,00000002,00000080,00000000) ret=004013c3 002b:Ret KERNEL32.CreateFileW() retval=ffffffff ret=004013c3 002b:Call KERNEL32.WriteFile(ffffffff,00470820,005f2c20,0033ee20,00000000) ret=004013d4 002b:Ret KERNEL32.WriteFile() retval=00000000 ret=004013d4 002b:Call KERNEL32.CloseHandle(ffffffff) ret=004013db 002b:Ret KERNEL32.CloseHandle() retval=00000000 ret=004013db 002b:Call shell32.ShellExecuteExW(0033edc8) ret=004012be 002b:Call ntdll.RtlAllocateHeap(00110000,00000000,000005d8) ret=7e88fca5 002b:Ret ntdll.RtlAllocateHeap() retval=0012b758 ret=7e88fca5 002b:Call shlwapi.PathFindExtensionW(0012b758 L"C:\\users\\focht\\Temp\\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...) ret=7e88e187 002b:Ret shlwapi.PathFindExtensionW() retval=0012bd24 ret=7e88e187 --- snip --- The buffer for GetTempPathW() is allocated on stack and not pre-initialized. After CreateDirectoryW() call, a copy loop is used to construct the final path which gets passed to CreateFileW(). Due to the way the copy loop is coded, garbage characters from stack-based buffer might get copied, resulting in malformed path.
From there everything goes downhill. Crappy coding at its best ...
Maybe Windows zero-terminates GetTempPathW() buffer up to max buffer size or it just works by chance there (stack layout). $ sha1sum HippoAnimator3.exe 0051b4a9c55e9c7e1c146e604068f7d730930dc7 HippoAnimator3.exe $ du -sh HippoAnimator3.exe 7.3M HippoAnimator3.exe $ wine --version wine-1.7.6-168-g8c94e27 Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 --- Comment #3 from Anastasius Focht <focht(a)gmx.net> 2013-11-12 17:50:37 CST --- Created attachment 46504 --> http://bugs.winehq.org/attachment.cgi?id=46504 C application which mimics the buggy app behaviour Hello folks, I spare you the disassembly of installer and provide a small C application which mimics the buggy app behaviour. --- snip --- compile: $ winegcc -m32 -municode -o bug34716 bug34716.c run: $ ./bug34716.exe (zero init buffer) $ ./bug34716.exe <char> (poison buffer with <char>) --- snip --- Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=34716 Jerome Leclanche <adys.wh(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |testcase -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34716 Teras <teras(a)luukku.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |teras(a)luukku.com --- Comment #4 from Teras <teras(a)luukku.com> --- still the same wine-1.7.36-125-g656bc70 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34716 Bruno Jesus <00cpxxx(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |f16cf541068831074a6891688d9 | |47f0ce32abdd9 Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Bruno Jesus <00cpxxx(a)gmail.com> --- Fixed by http://source.winehq.org/git/wine.git/commitdiff/f16cf541068831074a6891688d9... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=34716 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 1.7.38. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org