[Bug 12179] New: MSN Messenger crash in Wine 0.9.58 while starting
http://bugs.winehq.org/show_bug.cgi?id=12179 Summary: MSN Messenger crash in Wine 0.9.58 while starting Product: Wine Version: 0.9.58. Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: trivial Priority: P2 Component: -unknown AssignedTo: wine-bugs(a)winehq.org ReportedBy: jaimerave(a)gmail.com Created an attachment (id=11576) --> (http://bugs.winehq.org/attachment.cgi?id=11576) Console output After install it MSN Messenger will crash while loading in wine 0.9.58, it starts if you set it to win2k. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |focht(a)gmx.net --- Comment #1 from Anastasius Focht <focht(a)gmx.net> 2008-03-24 06:06:05 --- Hello, first: it would actually help if you fill out each bug reports properly, at least specifying the exact version of app used (7.0) and the download location. Thanks. This is an interesting and nasty bug - AJ might like this ;-) The app crashes in wine loader while try to load shdocvw.dll. Actually the crash is the result of earlier heap corruption. The wine loader lists get corrupted by app. What makes this pretty worse is that the location of corruption is highly dependent on wine snapshot and configured version. The loader module list corruption was actually a big hit which helped me to track this quickly down. MSN messenger app uses richedit CreateTextServices/TextServices. Unfortunately it seems to directly access data structures in a way wine has no knowledge - highly implementation specific area. This looks like another example of apps not consistently using public API/interfaces. I hate them... Following is the memory dump and the code snippet to show where/how the corruption happens, annotated for easier understanding. $-8 = wine CreateTextServices (dlls/riched20/txtsrv.c) allocated block $+0 = [esi+0A0h] ; ITextServicesImpl+0 -> wine riched20.textservices_Vtbl $+50 = wine loader allocated block $+60 = loader list entry which gets corrupted (high byte, see code snippet "or byte ptr [eax+3], 8") --- snip memory dump --- $-8 000000xx ; heapblock->size $-4 00455355 ; heapblock->magic = ARENA_INUSE_MAGIC $+0 60E12560 ; ITextServicesImpl->lpVtbl $+4 00BCA278 ; ITextServicesImpl->pMyHost; $+8 00000001 ; ITextServicesImpl->ref $+C 0015EAB0 ; ITextServicesImpl->csTxtSrv.DebugInfo -> $+30 $+10 FFFFFFFF ; ITextServicesImpl->csTxtSrv.LockCount $+14 00000000 ; ITextServicesImpl->csTxtSrv.RecursionCount $+18 00000000 ; ITextServicesImpl->csTxtSrv.OwningThread $+1C 00000000 ; ITextServicesImpl->csTxtSrv.LockSemaphore $+20 00000000 ; ITextServicesImpl->csTxtSrv.SpinCount $+24 00650074 ; ITextServicesImpl->csTxtSrv.SpinCount $+28 00000020 ; heapblock->size $+2C 00455355 ; heapblock->magic = ARENA_INUSE_MAGIC $+30 00000000 ; DebugInfo->Type/CreatorBackTraceIndex $+34 0015EA8C ; DebugInfo->CriticalSection $+38 0015EAB8 ; DebugInfo->ProcessLocksList.entry->next $+3C 0015EAB8 ; DebugInfo->ProcessLocksList.entry->prev $+40 00000000 ; DebugInfo->EntryCount $+44 00000000 ; DebugInfo->ContentionCount $+48 60E0D280 ; DebugInfo->Spare[0] -> ASCII ptr "txtsrv.c: ITextServicesImpl.csTxtSrv" $+4C 00000000 ; DebugInfo->Spare[1] $+50 00000058 ; heapblock->size $+54 04455355 ; heapblock->magic = ARENA_INUSE_MAGIC $+58 00162548 ; loader InLoadOrderModuleList: entry->next $+5C 00158868 ; loader InLoadOrderModuleList: entry->prev $+60 00162550 ; loader InMemoryOrderModuleList: entry->next $+64 001534E0 ; loader InMemoryOrderModuleList: entry->prev $+68 00162558 ; loader InInitializationOrderModuleList: entry->next $+6C 00158878 ; loader InInitializationOrderModuleList: entry->prev $+70 60DE0000 $+74 60E06D60 ; riched20.__wine_spec_dll_entry $+78 00039000 $+7C 00420040 $+80 0015EB38 ; UNICODE ptr "C:\windows\system32\riched20.dll" $+84 001A0018 $+88 0015EB60 ; UNICODE ptr "riched20.dll" --- snip memory dump --- Relevant app code which corrupts the loader data by chance, annotated for easier reading: --- snip app code --- .. ; esi = pThis of some vtbl mov eax, [esi+0A0h] ; wine riched20.textservices_Vtbl .. add eax, 60h ; offset into real IText(Services)Impl+0x60 ? .. or byte ptr [eax+3], 8 ; *eek* this will corrupt heap !!! .. mov ecx, [esi+0A0h] ; wine riched20.textservices_Vtbl .. mov edx, [ecx] push ebx mov eax, 1000h push eax push eax push 4CCh call dword ptr [edx+0Ch] ; textservices_Vtbl->fnTextSrv_TxSendMessage .. --- snip app code --- What happens? Because the app relies on internal data structures (CreateTextServices/ITextServicesImpl) - with a layout chosen by implementors - it corrupts data from next heap block. Unfortunately the next heap block contains loader data - by chance. By adding some spare area in ITextServicesImpl I worked around this problem. Hopefully the app will not peek/use data beyond. --- dlls/riched20/txtsrv.c --- diff --git a/dlls/riched20/txtsrv.c b/dlls/riched20/txtsrv.c index 95d6f7c..d4679f7 100644 --- a/dlls/riched20/txtsrv.c +++ b/dlls/riched20/txtsrv.c @@ -57,6 +57,7 @@ typedef struct ITextServicesImpl { ITextHost *pMyHost; LONG ref; CRITICAL_SECTION csTxtSrv; + char spare[256]; } ITextServicesImpl; static const ITextServicesVtbl textservices_Vtbl; --- dlls/riched20/txtsrv.c --- And yes, the app crashes again after the fix. Thats another bug (CredUI insufficiencies) which has nothing to do with this problem. http://bugs.winehq.org/show_bug.cgi?id=10073 seems to be the same problem. As described earlier, the memory corruption highly depends on wine snapshot/config. If you mark it as duplicate, please make bug 10073 a duplicate of this, because I gave all the info/fix here. This incidence made me think of how easily wine's "precious" data structures (loader lists, ...) can get corrupted because blocks are allocated from same process heap. Richedit and wine loader blocks were adjacent in this case - by chance. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Jaime Rave <jaimerave(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.microsoft.com/dow | |nloads/details.aspx?displayl | |ang=en&FamilyID=cf49c56c- | |8b3e-4eae-9904-9505f47bed45 Keywords| |download --- Comment #2 from Jaime Rave <jaimerave(a)gmail.com> 2008-03-24 12:27:00 --- Hi Ananstasius, sorry for not give enough info, I'm Adding a link to download the app. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #3 from Lei Zhang <thestig(a)google.com> 2008-03-24 15:43:36 --- *** Bug 10073 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Lei Zhang <thestig(a)google.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|trivial |normal Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Summary|MSN Messenger crash in Wine |MSN Messenger 7.0 crashes |0.9.58 while starting |while starting --- Comment #4 from Lei Zhang <thestig(a)google.com> 2008-03-24 15:45:17 --- Ah, this explains why I never had any problems, while it fails for Jaime. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dank(a)kegel.com --- Comment #5 from Dan Kegel <dank(a)kegel.com> 2008-03-24 17:37:14 --- We need a keyword for 'violates encapsulation' or something... -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #6 from Anastasius Focht <focht(a)gmx.net> 2008-03-24 18:02:24 --- Hello, --- quote --- We need a keyword for 'violates encapsulation' or something... --- quote --- I suggest 'Microsoftism' - people would automagically know that bugs flagged with this tag contain some kind of brain damage ;-) Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Adam Dempsey <dempsey(a)weirdfish.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dempsey(a)weirdfish.net -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Sjors Gielen <dazjorz(a)dazjorz.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dazjorz(a)dazjorz.com -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #7 from Jaime Rave <jaimerave(a)gmail.com> 2008-05-02 15:08:18 --- Still a problem in wine 0.9.61 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #8 from Anastasius Focht <focht(a)gmx.net> 2008-05-03 03:18:21 --- Hello, --- quote --- Still a problem in wine 0.9.61 --- quote --- There is no need to retest it for every wine release for the sake of "pinging" this bug. The analysis is here with a possible fix given. Just wait until some wine dev picks the information up and sends a fix. When this happens, you'll see some "patch sent/committed" message here. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #9 from Andrey Turkin <andrey.turkin(a)gmail.com> 2008-09-29 17:53:22 --- Created an attachment (id=16374) --> (http://bugs.winehq.org/attachment.cgi?id=16374) CredReadDomainCredentials stub With current GIT sources+patch MSN Messenger 7.0.0820 started fine in Winxp mode and I was able to log in. Interestingly enough, riched workaround wasn't needed for me (maybe layout shifted somehow so non-essential memory becomes corrupted or something). -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Andrey Turkin <andrey.turkin(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrey.turkin(a)gmail.com -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #10 from Anastasius Focht <focht(a)gmx.net> 2008-10-31 19:22:54 --- Hello, good to see the heap corruption part fixed (commit 8d18cb8caf17f9d85ae01319e98a438332400a5c) .. --- quote --- Interestingly enough, riched workaround wasn't needed for me (maybe layout shifted somehow so non-essential memory becomes corrupted or something). --- quote --- Sure. Heap corruption is a nasty thing and doesn't immediately lead to crashes (or never depending on which parts of heap get corrupted). Any feedback on CredReadDomainCredentialsA/W try4? When that patch gets committed the bug can be marked fixed. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #11 from Andrey Turkin <andrey.turkin(a)gmail.com> 2008-11-01 01:44:12 --- I got no feedback at all for last two sends, let's see if second resend will make the trick :) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #12 from Jaime Rave <jaimerave(a)gmail.com> 2008-12-06 15:20:24 --- Still a problem in Wine 1.1.10. Andrey, what's the current status of the patch? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #13 from Andrey Turkin <andrey.turkin(a)gmail.com> 2008-12-09 12:06:33 --- (In reply to comment #12)
Still a problem in Wine 1.1.10. Andrey, what's the current status of the patch?
I've got NAK from AJ on last send some weeks ago but I'm pretty busy (if not overwhelmed) with my work duties these days so I never had a free time to look at it (and eventually forgot about it). Anyway, I just finally fixed issue spotted by Alexandre and sent new version to wine-patches. Let's see if it'd go in GIT or no. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #14 from Andrey Turkin <andrey.turkin(a)gmail.com> 2008-12-27 12:18:44 --- Well, the patch (prettified by AJ as usual) just was accepted in a GIT -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #15 from Dan Kegel <dank(a)kegel.com> 2008-12-27 15:53:00 --- Fixed! Now to file bugs for further problems. What's the best way to find somebody to chat with? None of my friends run windows :-) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #16 from Jaime Rave <jaimerave(a)gmail.com> 2008-12-30 21:53:10 --- OMG, I just return from a travel and found these wonderful news!!! Thanks a lot Andrey and Focht. This program is really important here in Colombia, is present in almost every computer using Windows. Of course, this version is not really used but it has all the main functions like web cam (that is not working bug 16147) But where getting closer. Thanks a lot again. And Dan if you want to chat you can add my gmail account ;) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #17 from Alexandre Julliard <julliard(a)winehq.org> 2009-01-02 10:33:21 --- Closing bugs fixed in 1.1.12. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12179 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |8d18cb8caf17f9d85ae01319e98 | |a438332400a5c URL|http://www.microsoft.com/do |http://www.oldversion.com/w |wnloads/details.aspx?displa |indows/download/msn-messeng |ylang=en&FamilyID=cf49c56c- |er-7-0-0820 |8b3e-4eae-9904-9505f47bed45 | Component|-unknown |richedit -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=12179 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.oldversion.com/w |https://web.archive.org/web |indows/download/msn-messeng |/20130508221401/http://down |er-7-0-0820 |load.microsoft.com/download | |/9/7/6/976085f9-d0f8-4d96-9 | |208-fc1b461cd3d7/Install_MS | |N_Messenger.exe --- Comment #18 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, adding stable download link via Internet Archive for documentation. https://web.archive.org/web/20130508221401/http://download.microsoft.com/dow... https://www.virustotal.com/gui/file/87f7450d7daaa10f7a243f19ad6bdb5cb4f3a454... $ sha1sum Install_MSN_Messenger.exe 67791abeae82558ab863ace1a5ff35efaef8ec11 Install_MSN_Messenger.exe $ du -sh Install_MSN_Messenger.exe 11M Install_MSN_Messenger.exe Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=12179 --- Comment #19 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, adding stable download link via Internet Archive for documentation https://web.archive.org/web/20060813121324/http://download.microsoft.com/dow... https://www.virustotal.com/gui/file/56ca1fdd145f4ccd5e665b5f0c0864acb3cfbd5d... $ sha1sum Install_MSN_Messenger.exe 9f85d0ba089d7451fd4339973fbd6f71aab98a85 Install_MSN_Messenger.exe $ du -sh Install_MSN_Messenger.exe 9.0M Install_MSN_Messenger.exe Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla