[Bug 17214] Proteus VX fails to install (VT_DISPATCH to VT_xxx conversion: uninitialized VARIANTARG passed to DISPID_VALUE invoke call)

https://bugs.winehq.org/show_bug.cgi?id=17214

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |oleaut32 Summary|Proteus VX fails to install |Proteus VX fails to install | |(VT_DISPATCH to VT_xxx | |conversion: uninitialized | |VARIANTARG passed to | |DISPID_VALUE invoke call)

--- Comment #12 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming ... a nasty one.

It seems the InstallShield script engine copies the 'out' value during VarI4FromDisp() -> VARIANT_FromDisp() -> IDispatch_Invoke() using VariantCopy() without initializing it first.

Wine passes an uninitialized stack based VARIANTARG (param ought to be 'out').

I added additional 'FIXME' traces around the invoke call to make it more visible:

--- snip --- $ WINEDEBUG=+tid,+seh,+relay,+ole,+variant wine ./setup.exe >>log.txt 2>&1 ... 0039:Call oleaut32.VariantChangeType(003313bc,003313e4,00000000,00000003) ret=010f1bde 0039:trace:variant:VariantChangeTypeEx (0x3313bc->(VT_EMPTY),0x3313e4->(VT_DISPATCH),0x00000400,0x0000,VT_I4) 0039:trace:variant:VariantClear (0x3312c8->(VT_EMPTY)) 0039:trace:variant:VariantClear (0x3312b8->(VT_EMPTY)) 0039:trace:variant:VariantCopyInd (0x3312b8->(VT_EMPTY),0x3313e4->(VT_DISPATCH)) 0039:trace:variant:VariantCopy (0x3312b8->(VT_EMPTY),0x3313e4->(VT_DISPATCH)) 0039:trace:variant:VariantClear (0x3312b8->(VT_EMPTY)) 0039:trace:variant:VARIANT_Coerce (0x3312c8->(VT_EMPTY),0x00000400,0x0000,0x3312b8->(VT_DISPATCH),VT_I4) 0039:fixme:variant:VARIANT_FromDisp emptyParams=0x7e60bd10, srcVar=0x331148 0039:Call oleaut32.VariantInit(003310dc) ret=011097ff 0039:trace:variant:VariantInit (0x3310dc) 0039:Ret oleaut32.VariantInit() retval=003310dc ret=011097ff 0039:Call oleaut32.VariantClear(003310dc) ret=010f15a9 0039:trace:variant:VariantClear (0x3310dc->(VT_EMPTY)) 0039:Ret oleaut32.VariantClear() retval=00000000 ret=010f15a9 0039:Call oleaut32.VariantCopy(00331148,003310dc) ret=011098a1 0039:trace:variant:VariantCopy (0x331148->(Invalid|VT_BYREF|VT_HARDTYPE),0x3310dc->(VT_I4)) 0039:trace:variant:VariantClear (0x331148->(Invalid|VT_BYREF|VT_HARDTYPE)) 0039:Ret oleaut32.VariantCopy() retval=80020008 ret=011098a1 0039:Call oleaut32.VariantClear(003310dc) ret=011098ad 0039:trace:variant:VariantClear (0x3310dc->(VT_I4)) 0039:Ret oleaut32.VariantClear() retval=00000000 ret=011098ad 0039:fixme:variant:VARIANT_FromDisp hRet=0x80020008 0039:trace:variant:VariantClear (0x3312c8->(VT_EMPTY)) 0039:trace:variant:VariantClear (0x3312b8->(VT_DISPATCH)) 0039:trace:variant:VariantChangeTypeEx returning 0x80020005, 0x3313bc->(VT_EMPTY) 0039:Ret oleaut32.VariantChangeType() retval=80020005 ret=010f1bde 0039:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,00331368) ret=0110fb96 0039:trace:seh:raise_exception code=e06d7363 flags=1 addr=0x7b83a97b ip=7b83a97b tid=0039 0039:trace:seh:raise_exception info[0]=19930520 0039:trace:seh:raise_exception info[1]=00331384 0039:trace:seh:raise_exception info[2]=01124b38 0039:trace:seh:raise_exception eax=7b8269e1 ebx=7b8bb000 ecx=19930520 edx=003312a4 esi=0033134c edi=00331310 0039:trace:seh:raise_exception ebp=003312e8 esp=00331284 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200283 --- snip ---

Debugging/snooping lets the installer succeed (different stack values).

Debugger callstack to show the invocation:

--- snip --- Wine-dbg>bt Backtrace: =>0 0x094c972a in iscript (+0x1972a) (0x003311d8)

1 0x7e53bcf5 VarI4FromDisp+0x31(pdispIn=0x97ca058, lcid=0x400, piOut=0x331310) [/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/vartype.c:1635] in oleaut32 (0x00331208)

2 0x7e527e51 VARIANT_Coerce+0xbac(pd=0x331308, lcid=0x400, wFlags=0, ps=0x3312f8, vt=0x3) [/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/variant.c:210] in oleaut32 (0x00331298)

3 0x7e52b64c VariantChangeTypeEx+0x347(pvargDest=<couldn't compute location>, pvargSrc=<couldn't compute location>, lcid=<couldn't compute location>, wFlags=0, vt=0x3) [/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/variant.c:1047] in oleaut32 (0x00331348)

4 0x7e52b2f5 VariantChangeType+0x55(pvargDest=<couldn't compute location>, pvargSrc=<couldn't compute location>, wFlags=0, vt=0x3) [/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/variant.c:982] in oleaut32 (0x00331388)

5 0x094b1bde in iscript (+0x1bdd) (0x003313d8) 6 0x094b3eb8 in iscript (+0x3eb7) (0x00331400) ... --- snip ---

Source: http://source.winehq.org/git/wine.git/blob/ca1a1d54c0d2bee13926a1edca789c09e...

--- snip --- 113 /* Coerce VT_DISPATCH to another type */ 114 static HRESULT VARIANT_FromDisp(IDispatch* pdispIn, LCID lcid, void* pOut, 115 VARTYPE vt, DWORD dwFlags) 116 { 117 static DISPPARAMS emptyParams = { NULL, NULL, 0, 0 }; 118 VARIANTARG srcVar, dstVar; 119 HRESULT hRet; 120 121 if (!pdispIn) 122 return DISP_E_BADVARTYPE; 123 124 /* Get the default 'value' property from the IDispatch */ 125 hRet = IDispatch_Invoke(pdispIn, DISPID_VALUE, &IID_NULL, lcid, DISPATCH_PROPERTYGET, 126 &emptyParams, &srcVar, NULL, NULL); 127 128 if (SUCCEEDED(hRet)) ... --- snip ---

Initializing 'srcVar' before invoke call fixes this.

$ sha1sum ProteusVX.zip 99b8de9a0468540fd6210d47717c8c3d452434c6 ProteusVX.zip

$ du -sh ProteusVX.zip 66M ProteusVX.zip

$ wine --version wine-1.7.11-322-gafadda8

Regards