[Bug 29358] New: Vit Registry Fix 9.5 crashes when clicking "close" button in "about" dialog

http://bugs.winehq.org/show_bug.cgi?id=29358

Bug #: 29358 Summary: Vit Registry Fix 9.5 crashes when clicking "close" button in "about" dialog Product: Wine Version: 1.3.34 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified

Hello,

this is a bug split off from bug 7816

http://bugs.winehq.org/show_bug.cgi?id=7816#c16

--- quote --- It's also issue with http://www.vitsoft.org.ua/Download/Vit%20Registry%20Fix%20Free%20Edition%20S... and Wine 1.3.19.

Steps to reproduce: 1) start application 2) click "about" 3) close "about" window --- quote ---

Both bugs have nothing in common - except the crashing apps are VB6 apps.

The crash:

--- snip --- 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_LBUTTONUP,wp=00000000,lp=00020029) retval=00000000 0023:Ret user32.CallWindowProcA() retval=00000000 ret=016570cd 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x1657117 ip=01657117 tid=0023 0023:trace:seh:raise_exception info[0]=00000001 0023:trace:seh:raise_exception info[1]=00000001 0023:trace:seh:raise_exception eax=00000000 ebx=6846a690 ecx=00000000 edx=00000000 esi=00000023 edi=01680458 0023:trace:seh:raise_exception ebp=0032f808 esp=0032f7f4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 ... Backtrace: =>0 0x01657117 (0x0032f808) 1 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032f838) 2 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0, lp=0x20029, result=0x32f8b8, arg=0x1657050) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032f888) 3 0x68431876 CallWindowProcA+0x63(func=0x1657050, hwnd=0x3036e, msg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:954] in user32 (0x0032f8c8) 4 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032f8f8) 5 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x50019, stack=0x32f95c) [/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll (0x0032f948) 6 0x68387ee9 in user32 (+0x7ee8) (0x0032f9a8) 7 0x2b28bdee DefSubclassProc+0x16c(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1267] in comctl32 (0x0032f9a8) 8 0x2b310fac TOOLTIPS_SubclassProc+0x9b(hwnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029, uID=0x1, dwRef=0x60372) [/home/focht/projects/wine/wine-git/dlls/comctl32/tooltips.c:2145] in comctl32 (0x0032f9e8) 9 0x2b28be44 DefSubclassProc+0x1c2(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1272] in comctl32 (0x0032fa38) 10 0x2b28bb7b COMCTL32_SubclassProc+0x134(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1214] in comctl32 (0x0032fa98) 11 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032fac8) 12 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0, lp=0x20029, result=0x32fc48, arg=0x2b28ba46) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032fb18) 13 0x684317b3 WINPROC_call_window+0x211(hwnd=0x3036e, msg=0x202, wParam=0, lParam=0x20029, result=0x32fc48, unicode=0, mapping=WMCHAR_MAP_DISPATCHMESSAGE) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:908] in user32 (0x0032fb68) 14 0x683f434c DispatchMessageA+0x17d(msg=0x32fd10) [/home/focht/projects/wine/wine-git/dlls/user32/message.c:3742] in user32 (0x0032fc78) 15 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032fc98) 16 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x1009e, stack=0x32fcfc) [/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll (0x0032fce8) 17 0x68388b01 in user32 (+0x8b00) (0x0032fd38) 18 0x6600a4a3 in msvbvm60 (+0xa4a2) (0x0032fd38) --- snip ---

The VB6 app subclasses controls, installing its own window proc thunks...

Convert hex opcodes to binary:

--- snip --- 0023:Call oleaut32.VarBstrCat(0014f254 L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209",0049b38c L"C978078B450CF2AF75278D4514508D4510508D450C508D4508508D45FC508D45F85052B800000000508B00FF90A4070000C3",0032f4e4) ret=660e5f4d ... 0023:Call oleaut32.VarParseNumFromStr(0014e674 L"&H55",00000409,80000000,0032f4a0,0032f480) ret=660d31fd ... 0023:Call oleaut32.VarParseNumFromStr(01698094 L"&HC3",00000409,80000000,0032e75c,0032e73c) ret=660d31fd 0023:Ret oleaut32.VarParseNumFromStr() retval=00000000 ret=660d31fd ... --- snip ---

Alloc heap memory for window proc thunk:

01657050-0x1657118

--- snip --- ... 0023:Call KERNEL32.GlobalAlloc(00000000,000000c8) ret=0081bf65 0023:Ret KERNEL32.GlobalAlloc() retval=01657050 ret=0081bf65 ... --- snip ---

Set window proc:

--- snip --- 0023:Call user32.SetWindowLongA(0003036e,fffffffc,01657050) ret=0081bf84 0023:trace:win:WIN_SetWindowLong 0x3036e -4 1657050 A 0023:trace:win:alloc_winproc allocated 0xffff006c for A 0x1657050 (109/4096 used) 0023:Ret user32.SetWindowLongA() retval=6605f626 ret=0081bf84 ... --- snip ---

Filling thunk with code:

--- snip --- 0023:Call ntdll.RtlMoveMemory(01657050,01665ba0,000000c8) ret=0081bfa7 0023:Ret ntdll.RtlMoveMemory() retval=01657050 ret=0081bfa7 ... --- snip ---

Patch all intermodular calls

--- snip --- 0023:Call ntdll.RtlMoveMemory(01657062,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=01657062 ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(01657094,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=01657094 ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(0165709e,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=0165709e ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(016570c4,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570c4 ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(016570c9,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=016570c9 ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(0165710a,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=0165710a ret=0081c89d ... 0023:Call oleaut32.SysFreeString(016572bc L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209C"...) ret=660e60c0 ... --- snip ---

Subclassing once more (old = 01657050, new = 2b28ba46)...

--- snip --- 0023:Call user32.SetWindowLongA(0003036e,fffffffc,2b28ba46) ret=2b28b5d9 0023:trace:win:WIN_SetWindowLong 0x3036e -4 2b28ba46 A 0023:trace:win:alloc_winproc reusing 0xffff0069 for 0x2b28ba46 0023:Ret user32.SetWindowLongA() retval=01657050 ret=2b28b5d9 ... 0023:Call user32.CallWindowProcA(01657050,0003036e,00000055,00060372,00000003) ret=2b28bdee 0023:Call window proc 0x1657050 (hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003) 0023:Call user32.CallWindowProcA(6605f626,0003036e,00000055,00060372,00000003) ret=016570cd 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003) ... 0023:Call user32.CallWindowProcA(01657050,0003036e,00000046,00000000,0032ebc8) ret=2b28bdee 0023:Call window proc 0x1657050 (hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8) 0023:Call user32.CallWindowProcA(6605f626,0003036e,00000046,00000000,0032ebc8) ret=016570cd 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8) --- snip ---

Destruction of windows/controls and restoration of old window proc: NOTE: the subclassed window proc thunk memory is released here!

--- snip --- ... 0023:Call user32.SetWindowLongA(0003036e,fffffffc,6605f626) ret=0081c270 0023:trace:win:WIN_SetWindowLong 0x3036e -4 6605f626 A 0023:trace:win:alloc_winproc reusing 0xffff0028 for 0x6605f626 0023:Ret user32.SetWindowLongA() retval=2b28ba46 ret=0081c270 ... 0023:Call ntdll.RtlMoveMemory(016570ad,0032f0d8,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570ad ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(016570d9,0032f0d8,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570d9 ret=0081c89d ... 0023:Call KERNEL32.GlobalFree(01657050) ret=0081c2a6 0023:Ret KERNEL32.GlobalFree() retval=00000000 ret=0081c2a6 ... 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_DESTROY,wp=00000000,lp=00000000) retval=00000000 0023:trace:win:WIN_DestroyWindow 0x3036e 0023:trace:msg:WINPROC_CallProcWtoA (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) ... 0023:Call user32.DefWindowProcA(0003036e,00000082,00000000,00000000) ret=6605d591 0023:Ret user32.DefWindowProcA() retval=00000000 ret=6605d591 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) retval=00000000 0023:trace:win:dc_hook hDC = 0xc534, 1 0023:Ret user32.DestroyWindow() retval=00000001 ret=6605b4f6 --- snip ---

How the thunk looks like (virtual addresses from another run = don't match with other trace snippets):

--- snip --- 0165A040 55 PUSH EBP 0165A041 89E5 MOV EBP,ESP 0165A043 83C4 F8 ADD ESP,-8 0165A046 57 PUSH EDI ... 0165A0FF 8B00 MOV EAX,DWORD PTR DS:[EAX] 0165A101 FF90 A4070000 CALL DWORD PTR DS:[EAX+7A4] 0165A107 C3 RETN --- snip ---

Memory dump while the thunk was intact (virtual addresses from another run = don't match with other trace snippets):

--- snip --- 0165F780 000000C8 <len> 0165F784 00455355 USE <magic> 0165F788 83E58955 <window proc start> 0165F78C 3157F8C4 ... 0165F844 8B500000 0165F848 A490FF00 0165F84C C3000007 <window proc start end = ret opcode> 0165F850 00000071 <len> 0165F854 45455246 FREE <magic> 0165F858 001100E8 0165F85C 001100D8 0165F860 00000000 --- snip ---

When the window proc memory chunk was marked free, the "c3" opcode = "ret" is overwritten which leads to the crash after returning from call "CALL DWORD PTR DS:[EAX+7A4]" (0165A101).

A window/control hierarchy destruction sequence happens while in nested message handling for WM_LBUTTONUP ("about" dialog, tooltip).

Either the nested message handling (COMCTL32_SubclassProc) has a bug or this might be an application bug which is hidden in Windows due to different heap management (ret opcode not immediately overwritten upon heap free operation, allowing the window proc to return to its caller).

$ sha1sum "Vit Registry Fix Free Edition Setup.exe" 0319916dff8a57ab11a1796f3fff817379936fae Vit Registry Fix Free Edition Setup.exe

$ wine --version wine-1.3.34-353-g6fe14a0

Regards