https://bugs.winehq.org/show_bug.cgi?id=48018
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net URL|http://www.oldversion.com/d |https://web.archive.org/web |ownload/quicktime704.exe |/20110221145059/http://www. | |oldversion.com/download/qui | |cktime704.exe Component|-unknown |programs Resolution|FIXED |--- Status|RESOLVED |REOPENED Summary|QuickTime 7.0.x installer |QuickTime 7.0.x installer |fails |fails, 'rundll32.exe | |"C:\Program Files | |(x86)\QuickTime\QTSystem\QT | |Java.dll,QTPostInstallProc" | |' crashes due to invalid | |cdecl dll entry
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
it crashes reliably for me in clean 64-bit WINEPREFIX.
--- snip --- $ wine ./quicktime704.exe ... wine: Unhandled page fault on read access to 00000002 at address 00000002 (thread 00ad:err:msi:execute_script Execution of script 0 halted; action L"QTJava_QTPostInstallProc" returned 1627 00ad:err:msi:ITERATE_Actions Execution halted, action L"InstallFinalize" returned 1627 ... Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:00000002 ESP:0032fea0 EBP:00000000 EFLAGS:00010202( R- -- I - - - ) EAX:00000000 EBX:68033790 ECX:0032fce0 EDX:7e8b95c7 ESI:00607da2 EDI:00607dd8 ... Backtrace: =>0 0x00000002 (0x00000000) 0x00000002: -- no code accessible -- Modules: Module Address Debug info Name (54 modules) PE 330000- 33c000 Deferred api-ms-win-crt-runtime-l1-1-0 PE 340000- 36f000 Deferred imm32 PE 400000- 41e000 Deferred rundll32 PE 750000- 839000 Deferred setupapi PE 840000- 991000 Deferred rpcrt4 PE 10000000-10013000 Deferred version PE 7b000000-7b1c1000 Deferred kernelbase ELF 7b400000-7b670000 Deferred kernel32<elf> -PE 7b420000-7b670000 \ kernel32 ELF 7bc00000-7beb1000 Deferred ntdll<elf> -PE 7bc30000-7beb1000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... ELF 7e430000-7e54c000 Deferred ucrtbase<elf> -PE 7e460000-7e54c000 \ ucrtbase ELF 7e54c000-7e623000 Deferred msvcrt<elf> -PE 7e570000-7e623000 \ msvcrt ELF 7e623000-7e6a5000 Deferred advapi32<elf> -PE 7e640000-7e6a5000 \ advapi32 ELF 7e6a5000-7e7fa000 Deferred gdi32<elf> -PE 7e6c0000-7e7fa000 \ gdi32 ELF 7e7fa000-7ea2f000 Deferred user32<elf> -PE 7e820000-7ea2f000 \ user32 ... ELF f7d62000-f7f14000 Dwarf libwine.so.1 ELF f7f16000-f7f3f000 Deferred ld-linux.so.2 ELF f7f42000-f7f43000 Deferred [vdso].so Threads: process tid prio (all id:s are in hex) ... 0000005a QuickTimeInstaller.exe 0000006d 0 00000067 0 0000005b 0 0000005f IDriver.exe 000000c3 0 ... 00000060 0 00000088 ISBEW64.exe 0000009b 0 ... 00000089 0 0000008d rpcss.exe 00000097 0 ... 0000008e 0 0000009e IDriverT.exe 000000a4 0 ... 0000009f 0 000000ae msiexec.exe 000000c1 0 ... 000000af 0 ... 000000f2 (D) C:\windows\syswow64\rundll32.exe 000000f6 0 000000f3 0 <== ... --- snip ---
Reduced case:
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/QuickTime/QTSystem
$ wine "C:\windows\syswow64\rundll32.exe" "C:\Program Files (x86)\QuickTime\QTSystem\QTJava.dll,QTPostInstallProc" --- snip ---
That dll entry is CDECL but it should be CALLBACK/stdcall. Also the arguments don't seem to match. Standard entry point signature is:
--- snip --- void CALLBACK EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow); --- snip ---
Depending on which toolchain Wine was built with it will crash or not.
LLVM-MinGW clang version 10.0.0 (https://github.com/llvm/llvm-project.git c49194969430f0ee817498a7000a979a7a0ded03)
--- snip --- 00401440 55 PUSH EBP 00401441 89E5 MOV EBP,ESP 00401443 53 PUSH EBX 00401444 57 PUSH EDI 00401445 56 PUSH ESI 00401446 81EC 90010000 SUB ESP,190 0040144C 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10] ... 00401B8A 0FB745 C0 MOVZX EAX,WORD PTR SS:[EBP-40] 00401B8E 50 PUSH EAX 00401B8F FF75 E8 PUSH DWORD PTR SS:[EBP-18] 00401B92 FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401B95 53 PUSH EBX 00401B96 FF55 EC CALL DWORD PTR SS:[EBP-14] ; QTJava.QTPostInstallProc 00401B99 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24] ; ---> imbalanced stack 00401B9C EB 1B JMP SHORT rundll32.00401BB9 ... 00401BB9 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] 00401BBC 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 00401BBF FF75 E8 PUSH DWORD PTR SS:[EBP-18] 00401BC2 6A 00 PUSH 0 00401BC4 FF70 18 PUSH DWORD PTR DS:[EAX+18] 00401BC7 E8 B0190000 CALL <JMP.&kernel32.HeapFree> 00401BCC 85DB TEST EBX,EBX 00401BCE 0F85 ACFBFFFF JNZ rundll32.00401780 ... 00401799 57 PUSH EDI 0040179A 6A 00 PUSH 0 0040179C FF70 18 PUSH DWORD PTR DS:[EAX+18] 0040179F E8 D81D0000 CALL <JMP.&kernel32.HeapFree> 004017A4 31C0 XOR EAX,EAX 004017A6 81C4 90010000 ADD ESP,190 004017AC 5E POP ESI 004017AD 5F POP EDI 004017AE 5B POP EBX 004017AF 5D POP EBP 004017B0 C2 1000 RETN 10 ; ---> still imbalanced stack (16 bytes) --- snip ---
-> crashes
GNU C11 7.3.0 20180125 (Fedora MinGW 7.3.0-1.fc28):
--- snip --- 004017F0 55 PUSH EBP 004017F1 89E5 MOV EBP,ESP 004017F3 57 PUSH EDI 004017F4 56 PUSH ESI 004017F5 53 PUSH EBX 004017F6 81EC CC010000 SUB ESP,1CC ... 004027DB 0FB785 A8FEFFFF MOVZX EAX,WORD PTR SS:[EBP-158] 004027E2 897424 08 MOV DWORD PTR SS:[ESP+8],ESI 004027E6 894424 0C MOV DWORD PTR SS:[ESP+C],EAX 004027EA 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004027ED 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 004027F1 8B85 74FEFFFF MOV EAX,DWORD PTR SS:[EBP-18C] 004027F7 890424 MOV DWORD PTR SS:[ESP],EAX 004027FA 8B85 68FEFFFF MOV EAX,DWORD PTR SS:[EBP-198] 00402800 FFD0 CALL EAX ; QTJava.QTPostInstallProc 00402802 83EC 10 SUB ESP,10 ; ---> imbalanced stack 00402805 897424 08 MOV DWORD PTR SS:[ESP+8],ESI 00402809 C74424 04 0000. MOV DWORD PTR SS:[ESP+4],0 00402811 64:A1 18000000 MOV EAX,DWORD PTR FS:[18] 00402817 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 0040281A 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] 0040281D 890424 MOV DWORD PTR SS:[ESP],EAX 00402820 E8 EB160000 CALL <JMP.&kernel32.HeapFree> 00402825 83EC 0C SUB ESP,0C 00402828 E9 02F3FFFF JMP rundll32.00401B2F ... 00401B7C 8D65 F4 LEA ESP,DWORD PTR SS:[EBP-C] ; <--- recover (!) 00401B7F 31C0 XOR EAX,EAX 00401B81 5B POP EBX 00401B82 5E POP ESI 00401B83 5F POP EDI 00401B84 5D POP EBP 00401B85 C2 1000 RETN 10 --- snip ---
It works here because the compiler-generated epilog code recovers from stack imbalance.
Apparently this dll entry has been reported to crash on some older Windows versions as well:
https://kenta.blogspot.com/2005/10/quicktime-windows.html
https://discussions.apple.com/thread/162021
Protection ID scan:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\QuickTime\QTSystem\QTJava.dll File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 180224 (02C000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x4398AC71 -> Thu 08th Dec 2005 21:58:09 (GMT) [TimeStamp] 0x4398AC71 -> Thu 08th Dec 2005 21:58:09 (GMT) | PE Header | - | Offset: 0x00000120 | VA: 0x68030120 | - [TimeStamp] 0x430BC0EF -> Wed 24th Aug 2005 00:35:59 (GMT) | Export | - | Offset: 0x0001B674 | VA: 0x6804B674 | - [File Heuristics] -> Flag #1 : 00000000000000000000000100000000 (0x00000100) [Entrypoint Section Entropy] : 6.45 (section #0) ".text " | Size : 0x17B78 (97144) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x2F000 (192512) byte(s) [Export] 100% of function(s) (184 of 184) are in file | 0 are forwarded | 184 code | 0 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : Apple Computer. Inc. [VersionInfo] Product Name : QuickTime for Java [VersionInfo] Product Version : 6.1.1 [VersionInfo] File Description : QTJava dll [VersionInfo] File Version : 6.1.1 [VersionInfo] Original FileName : QTJava.dll [VersionInfo] Internal Name : QTJAVADLL [VersionInfo] Legal Copyrights : Copyright © 1999-2003 Apple Computer. Inc [ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | ADVAPI32.dll [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.251 Second(s) [0000000FBh (251) tick(s)] [246 of 580 scan(s) done] --- snip ---
Tidbit:
https://tla.mpi.nl/topic/elan-and-quicktime-72-on-windows/
--- quote --- – the QuickTime 7.2 distribution doesn’t contain the file QTJava.dll anymore. This file has been part of QT for a long time and ELAN expects it to be present. ELAN doesn’t handle it’s absence gracefully. --- quote ---
If it doesn't crash on newer Windows version, Microsoft likely worked around this Apple braindamage and other broken vendor dlls in 'rundll32'.
I suggest to introduce a wrapper here to ensure the return stack/epilog is properly restored, regardless if the dll entry was stdcall or cdecl.
$ sha1sum quicktime704.exe fadbddbccaad9b0e79a66231399a2ce6cfc5409d quicktime704.exe
$ du -sh quicktime704.exe 21M quicktime704.exe
$ wine --version wine-5.0-rc4-72-g4f0212c4fd
Regards