[Bug 49116] New: Windows 10 1903 SDK (10.0.18362.0) installer crashes (method invocation on wrong CCW interface?)

8 May 2020


      https://bugs.winehq.org/show_bug.cgi?id=49116
Bug ID: 49116
           Summary: Windows 10 1903 SDK (10.0.18362.0) installer crashes
                    (method invocation on wrong CCW interface?)
           Product: Wine
           Version: 5.7
          Hardware: x86
               URL: https://web.archive.org/web/20200215010843/https://dow
                    nload.microsoft.com/download/4/2/2/42245968-6A79-4DA7-
                    A5FB-08C0AD0AE661/windowssdk/winsdksetup.exe
                OS: Linux
            Status: NEW
          Keywords: download
          Severity: normal
          Priority: P2
         Component: mscoree
          Assignee: wine-bugs@winehq.org
          Reporter: z.figura12@gmail.com
      Distribution: ---
It calls _AppDomain::CreateInstance() from unmanaged code to retrieve a COM
pointer to one of its own objects (specifically,
BootstrapperApplicationFactory, hosted in BootstrapperCore.dll), and then tries
to invoke a method on the object. The problem is that the method it invokes has
vtbl offset 0x38, but Mono gives us back what *seems* to be an IDispatch vtbl,
so it ends up invoking junk. This consistently results in an execute fault for
me.
Relevant disassembly, from mbahost.dll:
1286:    8b 45 08                 >mov    eax, [ebp+08h]
    1289:    8d 55 fc                  lea    edx, [ebp-04h]
    128c:    52                        push    edx
    128d:    57                        push    edi
    128e:    53                        push    ebx
    128f:    8b 08                     mov    ecx, [eax]
    1291:    50                        push    eax
    1292:    ff 91 94 00 00 00         call    dword [ecx+00000094h] //
CreateInstance(), apparently
    1298:    8b f0                     mov    esi, eax
    129a:    85 f6                     test    esi, esi
    129c:    79 08                     jns    12a6    // jump if SUCCEEDED
    129e:    56                        push    esi
    129f:    68 1f 02 00 00            push    dword 0000021Fh
    12a4:    eb 48                     jmp    12ee
    12a6:    8b 45 fc                 >mov    eax, [ebp-04h]
    12a9:    8d 55 ec                  lea    edx, [ebp-14h]
    12ac:    52                        push    edx
    12ad:    50                        push    eax
    12ae:    8b 08                     mov    ecx, [eax]
    12b0:    ff 51 38                  call    dword [ecx+38h] // crashes
Presumably Mono is wrong in returning IDispatch here, but I'm not sure why, and
it's not clear what should be returned in its stead. The class in question
actually has a ClassInterfaceType of AutoDispatch, but maybe that doesn't
actually mean we should return IDispatch? But the CIL interface that class
explicitly implements, IBootstrapperApplicationFactory, only has one method, so
I'm not sure how an offset of 0x38 makes sense there either.
When I get the time I'll build and run a testcase...
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 49116] New: Windows 10 1903 SDK (10.0.18362.0) installer crashes (method invocation on wrong CCW interface?)