[Bug 51425] New: Mathearbeit G 5.6 installer reports null pointer exception in module 'shell32.dll' starting with Wine 6.9-142-g98d43c5dcfb

8 Jul 2021


      https://bugs.winehq.org/show_bug.cgi?id=51425
Bug ID: 51425
           Summary: Mathearbeit G 5.6 installer reports null pointer
                    exception in module 'shell32.dll' starting with Wine
                    6.9-142-g98d43c5dcfb
           Product: Wine
           Version: 6.12
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: shell32
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
while revisiting bug 38740 ("Mathearbeit G 5.6 installer hangs during
installation (ShellFolder attributes for virtual folder 'CLSID_Printers', clsid
'{2227a280-3aea-1069-a2de-08002b30309d}' missing in registry)") to validate the
claim that the bug has been fixed I've found a regression which actually hides
the original bug.
Stable download link via Internet Archive:
https://web.archive.org/web/20210708082931/http://zahlenbasar.de/MA_DL/setup...
--- snip ---
...
0118:trace:shell:_SHGetUserShellFolderPath
0x80000002,(null),L"{00000000-0000-0000-0000-000000000000}",0x32ea98
0118:Call advapi32.RegCreateKeyW(80000002,7daf0dc0
L"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders",0032e18c) ret=7daa23be
...
0118:Ret  advapi32.RegCreateKeyW() retval=00000000 ret=7daa23be
0118:Call advapi32.RegCreateKeyW(80000002,7daf0d20
L"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders",0032e188) ret=7daa23d8
...
0118:Ret  advapi32.RegCreateKeyW() retval=00000000 ret=7daa23d8
0118:Call advapi32.RegQueryValueExW(000000f0,0032e800
L"{00000000-0000-0000-0000-000000000000}",00000000,0032e190,0032ea98,0032e194)
ret=7daa2417
...
0118:Ret  advapi32.RegQueryValueExW() retval=00000002 ret=7daa2417
...
0118:trace:shell:_SHGetUserShellFolderPath returning 0x80004005
0118:trace:shell:_SHGetDefaultValue 0x45,0x32ea98
0118:trace:seh:dispatch_exception code=c0000005 flags=0 addr=7DAA0EA5
ip=7daa0ea5 tid=0118
0118:trace:seh:dispatch_exception  info[0]=00000000
0118:trace:seh:dispatch_exception  info[1]=00000000
0118:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception
(code=c0000005) raised
0118:trace:seh:dispatch_exception  eax=00000000 ebx=00000045 ecx=0032e354
edx=0032e37e esi=0032ea98 edi=00000000
0118:trace:seh:dispatch_exception  ebp=0032e7d8 esp=0032e7a0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0118:trace:seh:call_vectored_handlers calling handler at 7B00F750 code=c0000005
flags=0
0118:trace:seh:call_vectored_handlers handler at 7B00F750 returned 0
0118:trace:seh:call_stack_handlers calling handler at 004D512B code=c0000005
flags=0
0118:trace:seh:call_stack_handlers handler at 004D512B returned 1
0118:trace:seh:call_stack_handlers calling handler at 004E2570 code=c0000005
flags=0
0118:trace:seh:call_stack_handlers handler at 004E2570 returned 1
0118:trace:seh:call_stack_handlers calling handler at 0044B389 code=c0000005
flags=0
...
0118:Call user32.MessageBoxA(0001009a,02dbd314 "Zugriffsverletzung bei Adresse
7DAA0EA5 in Modul 'shell32.dll'. Lesen von Adresse 00000000.",013f5160
"MATHEARBEIT G Setup",00000010) ret=0045273f
...
--- snip ---
After dismissing the dialog, the installer runs further and indeed completes
without live-looping (copies files). Bug 38740 *appears* to be fixed but in
fact it's not.
Commit
https://source.winehq.org/git/wine.git/commitdiff/98d43c5dcfb28183667d874d4c...
("shell32: Calculate known folder paths from parent and relative path."), part
of Wine 6.10 release, introduced a regression which causes a NULL pointer
exception the reworked shell32 code.
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/shell32/shellpath.c#l...
--- snip ---
2446     { /* 0x45 */
2447         &GUID_NULL,
2448         CSIDL_Type_User,
2449         NULL,
2450         DocumentsW
2451     },
--- snip ---
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/shell32/shellpath.c#l...
--- snip ---
3470 /* Gets a 'semi-expanded' default value of the CSIDL with index folder
into
3471  * pszPath, based on the entries in CSIDL_Data.  By semi-expanded, I mean:
3472  * - Depending on the entry's type, the path may begin with an
(unexpanded)
3473  *   environment variable name.  The caller is responsible for expanding
3474  *   environment strings if so desired.
3475  *   The types that are prepended with environment variables are:
3476  *   CSIDL_Type_User:     %USERPROFILE%
3477  *   CSIDL_Type_AllUsers: %ALLUSERSPROFILE%
3478  *   CSIDL_Type_CurrVer:  %SystemDrive%
3479  *   (Others might make sense too, but as yet are unneeded.)
3480  */
3481 static HRESULT _SHGetDefaultValue(BYTE folder, LPWSTR pszPath)
3482 {
3483     HRESULT hr;
3484 
3485     TRACE("0x%02x,%p\n", folder, pszPath);
3486 
3487     if (folder >= ARRAY_SIZE(CSIDL_Data))
3488         return E_INVALIDARG;
3489 
3490     if (!pszPath)
3491         return E_INVALIDARG;
3492 
3493     if (!is_win64)
3494     {
3495         BOOL is_wow64;
3496 
3497         switch (folder)
3498         {
3499         case CSIDL_PROGRAM_FILES:
3500         case CSIDL_PROGRAM_FILESX86:
3501             IsWow64Process( GetCurrentProcess(), &is_wow64 );
3502             folder = is_wow64 ? CSIDL_PROGRAM_FILESX86 :
CSIDL_PROGRAM_FILES;
3503             break;
3504         case CSIDL_PROGRAM_FILES_COMMON:
3505         case CSIDL_PROGRAM_FILES_COMMONX86:
3506             IsWow64Process( GetCurrentProcess(), &is_wow64 );
3507             folder = is_wow64 ? CSIDL_PROGRAM_FILES_COMMONX86 :
CSIDL_PROGRAM_FILES_COMMON;
3508             break;
3509         }
3510     }
3511 
3512     if (IsEqualGUID(CSIDL_Data[folder].fidParent, &GUID_NULL))
3513     {
3514         /* hit the root, sub in env var */
3515         switch (CSIDL_Data[folder].type)
3516         {
3517             case CSIDL_Type_User:
3518                 strcpyW(pszPath, UserProfileW);
3519                 break;
3520             case CSIDL_Type_AllUsers:
3521                 strcpyW(pszPath, PublicProfileW);
3522                 break;
3523             case CSIDL_Type_ProgramData:
3524                 strcpyW(pszPath, ProgramDataVarW);
3525                 break;
3526             case CSIDL_Type_CurrVer:
3527                 strcpyW(pszPath, SystemDriveW);
3528                 break;
3529             default:
3530                 ; /* no corresponding env. var, do nothing */
3531         }
3532         hr = S_OK;
3533     }else{
3534         /* prepend with parent */
3535         hr =
_SHGetDefaultValue(csidl_from_id(CSIDL_Data[folder].fidParent), pszPath);
3536     }
3537 
3538     if (SUCCEEDED(hr))
3539         append_relative_path(folder, pszPath);
3540 
3541     TRACE("returning 0x%08x\n", hr);
3542     return hr;
3543 }
--- snip ---
Line 3512 -> 'fidParent' member is zero-init for 'CSIDL_Data' 0x45 folder
entry, causing null pointer exception.
After fixing the regression, the installer runs into bug 38740
$ sha1sum setupgs5_6.exe 
fbbbae71ce4214e3848ae29399fa3b271bd6763f  setupgs5_6.exe
$ du -sh setupgs5_6.exe 
5.8M    setupgs5_6.exe
$ wine --version
wine-6.12-125-g6763ed84cf0
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 51425] New: Mathearbeit G 5.6 installer reports null pointer exception in module 'shell32.dll' starting with Wine 6.9-142-g98d43c5dcfb