http://bugs.winehq.org/show_bug.cgi?id=14726
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #2 from Anastasius Focht focht@gmx.net 2008-08-02 05:29:39 --- Hello,
when the app queries proxy info using InternetQueryOptionA( ..INTERNET_OPTION_PROXY ..), wine initializes the out buffer incorrectly, letting app believe there is proxy info which results in crash when accessing the buffer.
Consider the following:
--- snip dlls/wininet/internet.c --- DWORD INET_QueryOption(DWORD option, void *buffer, DWORD *size, BOOL unicode) { .. case INTERNET_OPTION_PROXY: { WININETAPPINFOW ai;
TRACE("Getting global proxy info\n"); memset(&ai, 0, sizeof(WININETAPPINFOW)); INTERNET_ConfigureProxy(&ai);
return APPINFO_QueryOption(&ai.hdr, INTERNET_OPTION_PROXY, buffer, size, unicode); /* FIXME */ } .. } --- snip dlls/wininet/internet.c ---
WININETAPPINFOW is zero initialized. If INTERNET_ConfigureProxy() doesn't find any suitable info, the buffer is left untouched.
Now the filling of return/out buffer data:
--- snip dlls/wininet/internet.c --- static DWORD APPINFO_QueryOption(WININETHANDLEHEADER *hdr, DWORD option, void *buffer, DWORD *size, BOOL unicode) { .. .. case INTERNET_OPTION_PROXY: .. INTERNET_PROXY_INFOA *pi = (INTERNET_PROXY_INFOA *)buffer; .. pi->dwAccessType = ai->dwAccessType; pi->lpszProxy = NULL; pi->lpszProxyBypass = NULL; .. } --- snip dlls/wininet/internet.c ---
Due to default initialization, pi->dwAccessType == 0 (which is actually INTERNET_OPEN_TYPE_PRECONFIG = invalid anyway because it's only used for setting info).
After InternetQueryOptionA() returns, the app checks pi->dwAccessType == INTERNET_OPEN_TYPE_DIRECT and if different, it tries to read the proxy info. When accessing pi->lpszProxy it obviously crashes (sloppy app devs, not checking for pi->lpszProxy == NULL).
Wine should initialize pi->dwAccessType with INTERNET_OPEN_TYPE_DIRECT if proxy settings can't be determined, e.g. when ai->dwAccessType == 0 (one-liner ternary) Be sure to cover both, ansi and unicode path.
As side note ... the app is protected with PC Guard 5.x making analysis ~5 minutes longer ;-)
Regards