[Bug 25249] Leonardo.exe from ENVI-met (microclimate model simulation software) crashes due to strict comctl32.151 (CreateMRUListLazyA) input parameter validation

http://bugs.winehq.org/show_bug.cgi?id=25249

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Keywords| |download URL| |http://www.envi-met.com/dow | |nload30.htm Component|-unknown |comctl32 CC| |focht@gmx.net Ever Confirmed|0 |1 Summary|Leonardo.exe crashes: |Leonardo.exe from ENVI-met |Process |(microclimate model |/usr/bin/wine-preloader was |simulation software) |killed by signal 11 |crashes due to strict |(SIGSEGV) |comctl32.151 | |(CreateMRUListLazyA) input | |parameter validation

--- Comment #2 from Anastasius Focht focht@gmx.net 2011-12-16 17:11:26 CST --- Hello,

confirming. Looks like comctl32.151 -> CreateMRUListLazyA (MRU list) is the culprit here.

--- snip --- ... 0023:Call KERNEL32.CompareStringA(00000800,00000001,1a7bf178 "TJvMruList",0000000a,1a7bee18 "TJvMruList",0000000a) ret=00404c23 0023:Ret KERNEL32.CompareStringA() retval=00000002 ret=00404c23 0023:Call KERNEL32.SetErrorMode(00008000) ret=00410b1f 0023:Ret KERNEL32.SetErrorMode() retval=00000000 ret=00410b1f 0023:Call KERNEL32.LoadLibraryA(005180c8 "COMCTL32.DLL") ret=00410b4e 0023:Ret KERNEL32.LoadLibraryA() retval=68660000 ret=00410b4e ... 0023:Call comctl32.151(0032f858) ret=00517e28 0023:Ret comctl32.151() retval=00000000 ret=00517e28 0023:Call user32.LoadStringA(00400000,0000fe92,0032e818,00001000) ret=00407fbb 0023:Ret user32.LoadStringA() retval=00000014 ret=00407fbb 0023:Call KERNEL32.RaiseException(0eedfade,00000001,00000007,0032f828) ret=00517e48 0023:trace:seh:raise_exception code=eedfade flags=1 addr=0x7b838b5b ip=7b838b5b tid=0023 0023:trace:seh:raise_exception info[0]=00517e48 0023:trace:seh:raise_exception info[1]=1a7b5620 0023:trace:seh:raise_exception info[2]=1a77d1d8 0023:trace:seh:raise_exception info[3]=00156654 0023:trace:seh:raise_exception info[4]=00156654 0023:trace:seh:raise_exception info[5]=0032f870 0023:trace:seh:raise_exception info[6]=0032f844 0023:trace:seh:raise_exception eax=7b826171 ebx=7b8a97a8 ecx=00517e48 edx=0032f744 esi=0032f828 edi=0032f7a0 0023:trace:seh:raise_exception ebp=0032f788 esp=0032f724 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200203 --- snip ---

Debugging session:

--- snip --- Wine-dbg>bt Backtrace: =>0 0x69524ed7 CreateMRUListLazyA+0x12c(lpcml=0x33f858, dwParam2=0, dwParam3=0, dwParam4=0) [/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:792] in comctl32 (0x0033f838) 1 0x69524f4e CreateMRUListA+0x34(lpcml=0x33f858) [/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:817] in comctl32 (0x0033f838) 2 0x00517e28 in leonardo (+0x117e27) (0x0033f870) 3 0x00517c0d in leonardo (+0x117c0c) (0x0033f8b0) 4 0x004259c6 in leonardo (+0x259c5) (0x0033f8f4) 5 0x0042558b in leonardo (+0x2558a) (0x0033f944) ... Wine-dbg>info locals 0x69524ed7 CreateMRUListLazyA+0x12c: (0033f838) MRUINFOA* lpcml=0x33f858 (parameterESP) DWORD dwParam2=0 (parameterESP) DWORD dwParam3=0 (parameterESP) DWORD dwParam4=0 (parameterESP) LPWINEMRULIST mp=0x23 (localESP) DWORD len=0x69524daf (localESP) ... Wine-dbg>p *lpcml {cbSize=0x4, uMax=0xa, fFlags=0, hKey=0x80000001, lpszSubKey="Leonardo", u={string_cmpfn=(nil), binary_cmpfn=(nil)}} --- snip ---

cbSize = 4 doesn't survive Wine's input check:

http://source.winehq.org/git/wine.git/blob/cefcadcc38fac636061bb70a64f367a97...

--- snip --- 772 HANDLE WINAPI CreateMRUListLazyA (const MRUINFOA *lpcml, DWORD dwParam2, 773 DWORD dwParam3, DWORD dwParam4) 774 { 775 LPWINEMRULIST mp; 776 DWORD len; 777 778 /* Native does not check for a NULL lpcml */ 779 780 if (lpcml->cbSize != sizeof(MRUINFOA) || !lpcml->hKey || 781 IsBadStringPtrA(lpcml->lpszSubKey, -1)) 782 return 0; --- snip ---

The app checks the returned handle and if zero it throws external (Delphi) exception (0xeedfade) which results in recursion, eating up the stack.

Pulling one of my JEDI mind tricks ... I found the JEDI source ;-)

http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.asp...

Specifically "procedure TJvMruList.Open":

http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.asp...

--- snip --- ... FList: THandle; ...

procedure TJvMruList.Open; var FLst: TMruRec; begin if csDesigning in ComponentState then Exit;

if FSubKey <> '' then begin FLst.cbSize := SizeOf(FList); FLst.nMaxItems := FMax; ... if UseUnicode then // Arioch changed this FLst.lpszSubKeyW := PWideChar(FSubKey) else FLst.lpszSubKey := PChar(GetSubKey);

if UseUnicode then // Arioch changed this FList := CreateMruListW(@FLst) else FList := CreateMruList(@FLst);

if FList = 0 then raise EMruException.Create(RC_ErrorMRU_Creating); --- snip ---

"FLst.cbSize := SizeOf(FList);" will always evaluate to 4 bytes (sizeof handle).

Looks like a bug in JEDI library component that Windows tolerates?

$ sha1sum ENVImet_V31BETA5setup.exe 03d362af9e9222c70c4b4db2741ede43a917dced ENVImet_V31BETA5setup.exe

$ wine --version wine-1.3.35

Regards