[Bug 45044] New: Microsoft Visual C++ 2005, 2008 Redistributable installers fail with 'action L"SxsInstallCA" returned 1603'

https://bugs.winehq.org/show_bug.cgi?id=45044

Bug ID: 45044 Summary: Microsoft Visual C++ 2005, 2008 Redistributable installers fail with 'action L"SxsInstallCA" returned 1603' Product: Wine Version: 3.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: msi Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

noticed this on recent Wine build from Git while investigating some other issue. The installer bundles MSVC++ 2005 runtime and it fails to run the sub-installer. This worked in the past.

--- snip --- $ WINEDEBUG=+seh,+relay,+msi wine ./vcredist_x86.exe >>log.txt 2>&1 ... 0032:Call KERNEL32.MultiByteToWideChar(00000000,00000001,00411290 "msiexec /i vcredist.msi",00000018,004112b0,00000018) ret=f7b1c6bf ... 0032:trace:msi:HANDLE_CustomType1 Calling function L"CustomAction_SxsMsmInstall" from L"C:\users\focht\Temp\msi3fd.tmp" 0033:Starting thread proc 0x7ebbc0db (arg=0x1d736c) 0033:trace:msi:DllThread custom action (33) started ... 0033:trace:msi:ACTION_CallDllFunction calling L"CustomAction_SxsMsmInstall" ... 0033:Call msi.MsiGetActiveDatabase(00000002) ret=00402d45 0033:trace:msi:MsiGetActiveDatabase (2) 0033:trace:msi:MsiGetActiveDatabase (1) 0033:trace:msi:alloc_msihandle 0x159508 -> 3 0033:trace:msi:alloc_msi_remote_handle 3 -> 4 0033:Ret msi.MsiGetActiveDatabase() retval=00000004 ret=00402d45 0033:Call msi.MsiDatabaseOpenViewA(00000004,0040146c "SELECT `Component_`, `Guid` FROM `SxsMsmGenComponents`",0061fd28) ret=00402d5e ... 0033:Call msi.MsiDatabaseOpenViewA(00000004,00401290 "SELECT `Directory_`, `ComponentId` FROM `Component` WHERE `Component` = ?",0061fcd8) ret=00402335 0033:trace:msi:MsiDatabaseOpenViewA 4 "SELECT `Directory_`, `ComponentId` FROM `Component` WHERE `Component` = ?" 0x61fcd8 ... 0033:Ret msi.MsiDatabaseOpenViewA() retval=00000000 ret=00402335 ... 0033:Call msi.MsiRecordSetStringA(0000000d,00000001,00411388 "uplevel.97F81AF1_0E47_DC99_FF1F_C8B3B9A1E18E") ret=00402355 ... 0033:Call msi.MsiViewExecute(00000017,0000000d) ret=00402377 0033:trace:msi:MsiViewExecute 23 13 0033:Call ntdll.RtlAllocateHeap(00110000,00000008,00000030) ret=7ebd516c 0033:Ret ntdll.RtlAllocateHeap() retval=001e32a8 ret=7ebd516c 0033:trace:msi:alloc_msihandle 0x1e32a8 -> 24 0033:Ret msi.MsiViewExecute() retval=0061fbe8 ret=00402377 ... 0033:trace:msi:DllThread custom action (33) returned 1603 ... 0032:err:msi:ITERATE_Actions Execution halted, action L"SxsInstallCA" returned 1603 ... 0032:err:msi:ITERATE_Actions Execution halted, action L"ExecuteAction" returned 1603 --- snip ---

Debugger:

--- snip --- $ MsiBreak=CustomAction_SxsMsmInstall wine msiexec -i vcredist.msi ...

$ winedbg

Wine-dbg>attach 0x8

Wine-dbg>c DbgBreakPoint () at /home/focht/projects/wine/wine.repo/src/include/winternl.h:2223 0x7b442fe0 DbgBreakPoint+0x4 [/home/focht/projects/wine/wine.repo/src/include/winternl.h:2223] in kernel32: nop 2223 static inline void WINAPI DbgBreakPoint(void) { __asm__ __volatile__("int3"); }

$ Wine-dbg>b MsiViewExecute 002f:fixme:dbghelp_dwarf:dwarf2_parse_const_type Unsupported children Breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi

Wine-dbg>c Stopped on breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi MsiViewExecute () at /home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475

Wine-dbg>c Stopped on breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi

Wine-dbg>c Stopped on breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi

Wine-dbg>c Stopped on breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi

Wine-dbg>c Stopped on breakpoint 1 at 0x7ebe87b9 MsiViewExecute [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:475] in msi

Wine-dbg>b copy_remote_record Breakpoint 2 at 0x7ebf6888 copy_remote_record [/home/focht/projects/wine/wine.repo/src/dlls/msi/record.c:1059] in msi

Wine-dbg>c Stopped on breakpoint 2 at 0x7ebf6888 copy_remote_record [/home/focht/projects/wine/wine.repo/src/dlls/msi/record.c:1059] in msi copy_remote_record () at /home/focht/projects/wine/wine.repo/src/dlls/msi/record.c:1059

Wine-dbg>bt

Backtrace: =>0 0x7ebf6888 copy_remote_record(in=0x1d3b0c, out=0x1f) [/home/focht/projects/wine/wine.repo/src/dlls/msi/record.c:1059] in msi (0x0061fc18) 1 0x7ebe9d3e remote_ViewExecute+0x29(view=<couldn't compute location>, remote_rec=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:1106] in msi (0x0061fc48) 2 0x7ebe8894 MsiViewExecute+0xda(hView=<couldn't compute location>, hRec=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/msi/msiquery.c:497] in msi (0x0061fc98) 3 0x00402377 in msifcec.tmp (+0x2376) (0x0061fce0) 4 0x00402fd6 in msifcec.tmp (+0x2fd5) (0x0061fd38) 5 0x00403336 in msifcec.tmp (+0x3335) (0x0061fd48) 6 0x7ebbbd2e CUSTOMPROC_wrapper+0xd() in msi (0x0061fd58) 7 0x7ebbbf19 ACTION_CallDllFunction+0x1e8(guid=0x1c585c) [/home/focht/projects/wine/wine.repo/src/dlls/msi/custom.c:564] in msi (0x0061fe98) 8 0x7ebbc14d DllThread+0x71(arg=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/msi/custom.c:598] in msi (0x0061fed8) 9 0x7bc95468 call_thread_func_wrapper+0xb() in ntdll (0x0061feec) 10 0x7bc954ce call_thread_func+0x63(entry=0x7ebbc0db, arg=0x1c585c) [/home/focht/projects/wine/wine.repo/src/dlls/ntdll/signal_i386.c:2625] in ntdll (0x0061ffdc) 11 0x7bc9545a call_thread_entry+0x9() in ntdll (0x0061ffec)

Wine-dbg>info locals 0x7ebf6888 copy_remote_record: (0061fc18) struct wire_record* in=0x1d3b0c (parameter [ESP+4]) MSIHANDLE out=0x1f (parameter [ESP+8]) MSIRECORD* rec=0x61fc60 (local [ESP-24]) unsigned int i=0x7ebf6a82 (local [ESP-16]) UINT r=0x61fc18 (local [ESP-20])

Wine-dbg>n 1064 if (!(rec = msihandle2msiinfo(out, MSIHANDLETYPE_RECORD))) Wine-dbg>n 1067 for (i = 0; i <= in->count; i++) Wine-dbg>n 1067 for (i = 0; i <= in->count; i++) Wine-dbg>n 1069 switch (in->fields[i].type) Wine-dbg>n 1072 MSI_FreeField(&rec->fields[i]); Wine-dbg>n 1073 rec->fields[i].type = MSIFIELD_NULL; Wine-dbg>n 1074 break; Wine-dbg>n 1089 if (r) Wine-dbg>n 1091 msiobj_release(&rec->hdr); Wine-dbg>n 1092 return r; --- snip ---

Two cases of the switch use uninitialized 'r' value.

Source:

https://source.winehq.org/git/wine.git/blob/a373054b72f396a04ab4f191e1f6c2c9...

--- snip --- 1058 UINT copy_remote_record(const struct wire_record *in, MSIHANDLE out) 1059 { 1060 MSIRECORD *rec; 1061 unsigned int i; 1062 UINT r; 1063 1064 if (!(rec = msihandle2msiinfo(out, MSIHANDLETYPE_RECORD))) 1065 return ERROR_INVALID_HANDLE; 1066 1067 for (i = 0; i <= in->count; i++) 1068 { 1069 switch (in->fields[i].type) 1070 { 1071 case MSIFIELD_NULL: 1072 MSI_FreeField(&rec->fields[i]); 1073 rec->fields[i].type = MSIFIELD_NULL; 1074 break; 1075 case MSIFIELD_INT: 1076 r = MSI_RecordSetInteger(rec, i, in->fields[i].u.iVal); 1077 break; 1078 case MSIFIELD_WSTR: 1079 r = MSI_RecordSetStringW(rec, i, in->fields[i].u.szwVal); 1080 break; 1081 case MSIFIELD_STREAM: 1082 r = MSI_RecordSetIStream(rec, i, in->fields[i].u.stream); 1083 break; 1084 default: 1085 ERR("invalid field type %d\n", in->fields[i].type); 1086 break; 1087 } 1088 1089 if (r) 1090 { 1091 msiobj_release(&rec->hdr); 1092 return r; 1093 } 1094 } 1095 1096 msiobj_release(&rec->hdr); 1097 return ERROR_SUCCESS; 1098 } --- snip ---

The custom action dll later converts the garbage value 0x61fc18 to 0x8007FC18 (meaningless) but ultimately to 1603.

--- snip --- 004022E6 56 PUSH ESI 004022E7 E8 63F5FFFF CALL 0040184F 004022EC 85FF TEST EDI,EDI ; 0x0061FC18 004022EE 7E 0C JLE SHORT 004022FC 004022F0 81E7 FFFF0000 AND EDI,0FFFF ; 0x0000FC18 004022F6 81CF 00000780 OR EDI,80070000 ; 0x8007FC18 004022FC 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 00402300 74 08 JE SHORT 0040230A 00402302 FF75 FC PUSH DWORD PTR SS:[EBP-4] 00402305 E8 30150000 CALL 0040383A 0040230A 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 0040230E 74 08 JE SHORT 00402318 00402310 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00402313 E8 22150000 CALL 0040383A --- snip ---

This is a regression, introduced by https://source.winehq.org/git/wine.git/commitdiff/bbf0f2da8211da73066fb36a44... ("msi: Make MsiProcessMessage() RPC-compatible") which introduced a buggy 'unmarshal_record' helper.

The code was later refactored into 'copy_remote_record' helper:

https://source.winehq.org/git/wine.git/commitdiff/c79fbc241e3c9a62ab50fb0826... ("msi: Make MsiViewModify() RPC-compatible.")

'MsiViewExecute' modified to call the remote wrappers which contain the bug:

https://source.winehq.org/git/wine.git/commitdiff/afb5eede24c35308d2370fd3b4... ("msi: Make MsiViewExecute() RPC-compatible.")

With a fix applied to properly initialize 'r', the installers work again.

$ ha1sum vcredist_x86.EXE b8fab0bb7f62a24ddfe77b19cd9a1451abd7b847 vcredist_x86.EXE

$ du -sh vcredist_x86.EXE 2.6M vcredist_x86.EXE

$ wine --version wine-3.6-138-ga373054b72

Regards