http://bugs.winehq.org/show_bug.cgi?id=23283 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |focht(a)gmx.net --- Comment #2 from Anastasius Focht <focht(a)gmx.net> 2010-06-20 15:26:34 --- Hello, Wine bug unearthed by an "ElsterFormular" application bug ;-) Prerequisites: vcrun6 and some (free) pdf reader application to use "print preview" (app internally exports/generates .pdf). --- quote --- wine: Unhandled exception 0xc0000409 at address 0x42f6e2 (thread 001c), starting debugger... --- quote --- This exception is caused by the app's internal runtime detecting a stack corruption (it uses stack security cookies). Basically after calling shell32.FindExecutableW() the stack got corrupted. For the interested how stack cookies work: http://msdn.microsoft.com/en-us/library/aa290051.aspx Annotated app callstack before entering shell32.FindExecutableW(): HINSTANCE WINAPI FindExecutableW(LPCWSTR lpFile, LPCWSTR lpDirectory, LPWSTR lpResult) --- snip app stack --- 003396BC 041CA512 lpFile = "C:\users\focht\Application Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf" 003396C0 00000000 lpDirectory = NULL 003396C4 0033970C lpResult = 0033970C ... ; lpResult buffer starts here 0033970C 00000000 ... ; stack security cookie 0033980C 5A6E2810 ; points to next SEH record 00339810 00339868 ; structured exception handler 00339814 00444702 00339818 00000007 ; return to caller 0033981C 004167C0 ... --- snip app stack --- dlls/shell32/shlexec.c:FindExecutableW -> SHELL_FindExecutable() SHELL_FindExecutableByOperation() is used to determine the executable to be launched with certain registered filetype (.pdf extension registered): --- snip dlls/shell32/shlexec.c --- static UINT SHELL_FindExecutable(LPCWSTR lpPath, LPCWSTR lpFile, LPCWSTR lpOperation, LPWSTR lpResult, int resultLen, LPWSTR key, WCHAR **env, LPITEMIDLIST pidl, LPCWSTR args) { ... if (*filetype) { /* pass the operation string to SHELL_FindExecutableByOperation() */ retval = SHELL_FindExecutableByOperation(lpOperation, key, filetype, command, sizeof(command)); if (retval > 32) { DWORD finishedLen; SHELL_ArgifyW(lpResult, resultLen, command, xlpFile, pidl, args, &finishedLen); if (finishedLen > resultLen) ERR("Argify buffer not large enough.. truncated\n"); ... --- snip dlls/shell32/shlexec.c --- Resulting in -> ""C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe" "%1"" (the pdf viewer I installed for this purpose). Replacing "%1" -> "C:\users\focht\Application Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf" What happens is that the output buffer (lpResult) of FindExecutableW() caller will actually contain two strings in argv-style: executable and file name up to MAX_PATH. This is wrong - the app buffer should never get the %1 (filename) parameter (even if it's "invisible" due to null terminator in between) - it only requested executable name - an unfortunate side effect of Wine's code sharing at this place. I already mentioned this Wine bug was unearthed by an application bug. As you can see in annotated stack snippet, the application didn't bother to provide what Microsoft suggests for lpResult: MAX_PATH length (http://msdn.microsoft.com/en-us/library/bb776419.aspx). Even if Wine fixes the problem by only copying executable path - if the pdf executable path is long enough, it will most likely also corrupt the stack on Windows. Someone should tell these guys how to write "secure" software: https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/738-BSI.html But what can you expect from people that use german identifiers all over the place for their classes, functions, variables and the like .. that's pure coding horror (never heard of industry standards?). Run the app with WINEDEBUG=+debugstr and see what I mean ... Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=23283 --- Comment #4 from Anastasius Focht <focht(a)gmx.net> 2010-06-20 17:34:41 --- Hello, --- wuote --- I mailed to hotline(a)elsterformular.de. I also mentioned that they should provide PDF export. Let's see whether and what they reply ... --- wuote --- Well, good luck with that ... for your pleasure here is a thread from their helpdesk forum: "Umsatzsteuervoranmeldung - Ausdruck nicht möglich": https://www.elster.de/anwenderforum/archive/index.php/t-22773.html Pretty pretty sarcastic tone there (I'm native german too, so I can comprehend their pain) :| Funnily, even Microsoft made hotfixes for their bug ridden software (not for this specific problem): http://support.microsoft.com/kb/935448 :-) I hope these guys never work on mission-critical software projects... more harm than good. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=23283 --- Comment #5 from Johannes Obermayr <johannesobermayr(a)gmx.de> 2010-06-28 07:58:44 --- "[...] wir müssen Ihnen leider mitteilen, dass wir Ihnen bei Ihrem Anliegen nicht weiter helfen können. ElsterFormular wird bisher nicht unter Linux unterstützt. Auch bieten wir keine Unterstützung für WINE. Wir bedauern Ihnen keine positive Antwort geben zu können." (hotline(a)elster.de) So what now? I assume I have to file a motion for a linux client (which they deny, free of charge), then contradict (free of charge) and finally file a suit (costs?). Basis should be: Elster-Gutachten, Dr. Till Jaeger, Munich, 2005-03-14 And I hope there are many followers ... -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=23283 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://www.elster.de/elfo_ | |down4.php?who=2009/2010 Component|-unknown |shell32 Summary|Cannot print my annual |Cannot print my annual |income tax return in |income tax return in |ElsterFormular (crash) |ElsterFormular (crash) | |(shell32.SHELL_FindExecutab | |le corrupts stack) --- Comment #7 from Anastasius Focht <focht(a)gmx.net> 2010-08-18 04:40:23 --- Hello, setting component 'shell32', download and summary fields. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=23283 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |ABANDONED --- Comment #9 from Anastasius Focht <focht(a)gmx.net> 2012-01-13 14:03:21 CST --- Hello, --- quote --- Is this still an issue? My Elster is flying around without crashes. I use this version: http://appdb.winehq.org/objectManager.php?sClass=version&iId=22570 wine v1.3.36 --- quote --- Well, obviously not - the app code was partially rewritten. It seems the stack based buffer is now MAX_PATH length, no security cookie. The app uses the "A" version of FindExecutable() now which supplies a MAX_PATH sized buffer on its own for A<->W conversion hence FindExecutableW() doesn't pass the app buffer down directly to SHELL_FindExecutable() and SHELL_ArgifyW() to operate on. Because an internal buffer with MAX_PATH is used, '"<executable_path>" "%1"' replacing "%1" with real path works because truncation happens on closing double quote (executable name), first space or MAX_PATH. Though if an app still supplies buffer<MAX_PATH (ignoring what MSDN says) and calls FindExecutableW() directly it will overflow with overly long paths. "ElsterFormular 2008/2009" Download: https://download.elster.de/download/2008/ElsterFormular-10.4.0.0.exe The binaries are compiled in 2011. $ sha1sum ElsterFormular-10.4.0.0.exe b85f6341860396a334eea48a171c5a3aa921bf3a ElsterFormular-10.4.0.0.exe $ wine --version wine-1.3.36-310-gaba9ddc ("wine ./Elfo2008.exe peterx3" to skip loader) Because this can't be reproduced anymore (broken app unavailable) I'll mark this one abandoned until another app shows up. Nothing was fixed on Wine side. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=23283 André H. <nerv(a)dawncrow.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nerv(a)dawncrow.de --- Comment #11 from André H. <nerv(a)dawncrow.de> --- related bug https://bugs.winehq.org/show_bug.cgi?id=29979 (most likely a dup?) was fixed by https://source.winehq.org/git/wine.git/commitdiff/1010372778978a30fb7f9d36d5... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.