[Bug 34716] HippoAnimator3 fails on startup, complains 'Invalid name' (GetTempPathW on poisoned stack buffer)

12 Nov 2013


      http://bugs.winehq.org/show_bug.cgi?id=34716
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dotnet
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht@gmx.net
          Component|-unknown                    |kernel32
            Summary|HippoAnimator3: Invalid     |HippoAnimator3 fails on
                   |name at installation        |startup, complains 'Invalid
                   |startup                     |name' (GetTempPathW on
                   |                            |poisoned stack buffer)
     Ever Confirmed|0                           |1
--- Comment #2 from Anastasius Focht focht@gmx.net 2013-11-12 17:46:13 CST ---
Hello folks,
confirming.
Prerequisite: 'winetricks -q dotnet20' (if Mono is not installed)
The installer writes a .NET app config file from its PE resource (good guy):
--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006f,0040c89c L"BINARY")
ret=00401431
002b:Ret  KERNEL32.FindResourceW() retval=004161f0 ret=00401431
002b:Call KERNEL32.LoadResource(00000000,004161f0) ret=0040143d
002b:Ret  KERNEL32.LoadResource() retval=00a63440 ret=0040143d
002b:Call KERNEL32.LockResource(00a63440) ret=00401444
002b:Ret  KERNEL32.LockResource() retval=00a63440 ret=00401444
002b:Call KERNEL32.SizeofResource(00000000,004161f0) ret=0040144e
002b:Ret  KERNEL32.SizeofResource() retval=000000db ret=0040144e
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401464
002b:Ret  KERNEL32.GetTempPathW() retval=00000014 ret=00401464
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\users\focht\Temp\",00000000) ret=00401473
002b:Ret  KERNEL32.CreateDirectoryW() retval=00000000 ret=00401473
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\users\focht\Temp\HippoAnimator3Update.exe.config",40000000,00000000,00000000,00000002,00000080,00000000)
ret=004014e6
002b:Ret  KERNEL32.CreateFileW() retval=0000003c ret=004014e6
002b:Call KERNEL32.WriteFile(0000003c,00a63440,000000db,0033ee20,00000000)
ret=004014f7
002b:Ret  KERNEL32.WriteFile() retval=00000001 ret=004014f7
002b:Call KERNEL32.CloseHandle(0000003c) ret=004014fe
002b:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004014fe 
--- snip ---
Next, an embedded PE binary should be written out the same way (bad guy):
--- snip ---
002b:Call KERNEL32.FindResourceW(00400000,0000006e,0040c89c L"BINARY")
ret=00401312
002b:Ret  KERNEL32.FindResourceW() retval=004161e0 ret=00401312
002b:Call KERNEL32.LoadResource(00000000,004161e0) ret=0040131e
002b:Ret  KERNEL32.LoadResource() retval=00470820 ret=0040131e
002b:Call KERNEL32.LockResource(00470820) ret=00401325
002b:Ret  KERNEL32.LockResource() retval=00470820 ret=00401325
002b:Call KERNEL32.SizeofResource(00000000,004161e0) ret=0040132f
002b:Ret  KERNEL32.SizeofResource() retval=005f2c20 ret=0040132f
002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401345
002b:Ret  KERNEL32.GetTempPathW() retval=00000014 ret=00401345
002b:Call KERNEL32.CreateDirectoryW(0033f5f4
L"C:\users\focht\Temp\",00000000) ret=00401354
002b:Ret  KERNEL32.CreateDirectoryW() retval=00000000 ret=00401354
002b:Call KERNEL32.CreateFileW(0033ee24
L"C:\users\focht\Temp\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...,40000000,00000000,00000000,00000002,00000080,00000000)
ret=004013c3
002b:Ret  KERNEL32.CreateFileW() retval=ffffffff ret=004013c3
002b:Call KERNEL32.WriteFile(ffffffff,00470820,005f2c20,0033ee20,00000000)
ret=004013d4
002b:Ret  KERNEL32.WriteFile() retval=00000000 ret=004013d4
002b:Call KERNEL32.CloseHandle(ffffffff) ret=004013db
002b:Ret  KERNEL32.CloseHandle() retval=00000000 ret=004013db
002b:Call shell32.ShellExecuteExW(0033edc8) ret=004012be
002b:Call ntdll.RtlAllocateHeap(00110000,00000000,000005d8) ret=7e88fca5
002b:Ret  ntdll.RtlAllocateHeap() retval=0012b758 ret=7e88fca5
002b:Call shlwapi.PathFindExtensionW(0012b758
L"C:\users\focht\Temp\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...)
ret=7e88e187
002b:Ret  shlwapi.PathFindExtensionW() retval=0012bd24 ret=7e88e187 
--- snip ---
The buffer for GetTempPathW() is allocated on stack and not pre-initialized.
After CreateDirectoryW() call, a copy loop is used to construct the final path
which gets passed to CreateFileW().
Due to the way the copy loop is coded, garbage characters from stack-based
buffer might get copied, resulting in malformed path.
...
From there everything goes downhill.
Crappy coding at its best ...
Maybe Windows zero-terminates GetTempPathW() buffer up to max buffer size or it
just works by chance there (stack layout).
$ sha1sum HippoAnimator3.exe
0051b4a9c55e9c7e1c146e604068f7d730930dc7  HippoAnimator3.exe
$ du -sh HippoAnimator3.exe
7.3M    HippoAnimator3.exe
$ wine --version
wine-1.7.6-168-g8c94e27
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 34716] HippoAnimator3 fails on startup, complains 'Invalid name' (GetTempPathW on poisoned stack buffer)