[Bug 29099] LabView 2011 demo crashes on start (PathRemoveExtensionA/W unconditionally tries to null terminate string)

http://bugs.winehq.org/show_bug.cgi?id=29099

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Summary|LabView demo: crashes on |LabView 2011 demo crashes |start |on start | |(PathRemoveExtensionA/W | |unconditionally tries to | |null terminate string)

--- Comment #2 from Anastasius Focht focht@gmx.net 2011-12-30 10:22:28 CST --- Hello,

confirming, still present.

--- snip --- ... 00c2:Call shlwapi.PathRemoveExtensionA(01e7a740 "LabVIEW") ret=006a6cad 00c2:Call user32.CharNextA(01e7a740 "LabVIEW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a741 ret=686ad97a 00c2:Call user32.CharNextA(01e7a741 "abVIEW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a742 ret=686ad97a 00c2:Call user32.CharNextA(01e7a742 "bVIEW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a743 ret=686ad97a 00c2:Call user32.CharNextA(01e7a743 "VIEW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a744 ret=686ad97a 00c2:Call user32.CharNextA(01e7a744 "IEW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a745 ret=686ad97a 00c2:Call user32.CharNextA(01e7a745 "EW") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a746 ret=686ad97a 00c2:Call user32.CharNextA(01e7a746 "W") ret=686ad97a 00c2:Ret user32.CharNextA() retval=01e7a747 ret=686ad97a 00c2:trace:seh:raise_exception code=c0000005 flags=0 addr=0x686ae4b8 ip=686ae4b8 tid=00c2 00c2:trace:seh:raise_exception info[0]=00000001 00c2:trace:seh:raise_exception info[1]=01e7a747 00c2:trace:seh:raise_exception eax=01e7a747 ebx=686e962c ecx=00000000 edx=00000057 esi=0032f8c0 edi=0032f844 00c2:trace:seh:raise_exception ebp=0032f838 esp=0032f800 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 00c2:trace:seh:call_vectored_handlers calling handler at 0x68f86e0e code=c0000005 flags=0 00c2:trace:seh:call_vectored_handlers handler at 0x68f86e0e returned 0 --- snip ---

shlwapi.dll PathRemoveExtensionA() tries to modify a string that is located in read-only executable section.

Dump of section info/executable mappings at runtime:

--- snip --- Address Size Contains Access .... 00400000 0000100 PE header R 00401000 01A7400 .text Code R E 01E75000 0053B00 .rdata Imports,exports R 023B0000 0016B00 .data Data RWE CopyOnWr 0251B000 003C700 .rsrc Resources R --- snip ---

0x01e7a740 "LabVIEW"-> constant string literal in .rdata

--- snip --- Address Value ASCII 01E7A740 5662614C LabV 01E7A744 00574549 IEW 01E7A748 67655210 Reg 01E7A74C 72747369 istr --- snip ---

Code: http://source.winehq.org/git/wine.git/blob/ce3dd89b5411edfdf448bd80ac8dd2b71...

--- snip --- 766 void WINAPI PathRemoveExtensionA(LPSTR lpszPath) 767 { 768 TRACE("(%s)\n", debugstr_a(lpszPath)); 769 770 if (lpszPath) 771 { 772 lpszPath = PathFindExtensionA(lpszPath); 773 *lpszPath = '\0'; 774 } 775 } --- snip ---

Obviously PathRemoveExtensionA() isn't supposed to modify the string in this case (writing null terminator). I added a null terminator check and it allows the application to start.

You might also want to fix PathRemoveExtensionW().

$ sha1sum 2011LV-WinEng.exe 2827f32f1ce737226f34a0961938ed84b8f0e164 2011LV-WinEng.exe

$ wine --version wine-1.3.35-273-geaa8801

Regards