[Bug 25264] ExamXML crashes when opening an XML file

http://bugs.winehq.org/show_bug.cgi?id=25264

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |comctl32 Ever Confirmed|0 |1

--- Comment #4 from Anastasius Focht focht@gmx.net 2011-12-20 11:52:52 CST --- Hello,

confirming, still present. It seems the heap gets corrupted in treeview control.

There is some overly long treeview item text. The "overwrite" pattern 0x20202024 looks like part of treeview item text.

--- snip --- 0023:trace:treeview:TREEVIEW_UpdateDispInfo resulting code 0xfffffe3c 0023:Call KERNEL32.LocalReAlloc(001600f0,00000104,00000042) ret=6835f96b 0023:Ret KERNEL32.LocalReAlloc() retval=001600f0 ret=6835f96b 0023:trace:treeview:TREEVIEW_UpdateDispInfo returned wstr L"\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020"..., len=260 0023:Call gdi32.SelectObject(000012b0,00001214) ret=683efbf3 0023:Ret gdi32.SelectObject() retval=00001214 ret=683efbf3 0023:Call gdi32.GetTextExtentPoint32W(000012b0,001600f0 L"\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020"...,000000a0,0032f550) ret=683ef996 0023:Ret gdi32.GetTextExtentPoint32W() retval=00000001 ret=683ef996 ... 0023:trace:treeview:TREEVIEW_WindowProc hwnd 0x500aa msg 0047 wp=00000000 lp=0032f428 0023:Call user32.DefWindowProcW(000500aa,00000047,00000000,0032f428) ret=683fb197 0023:Call window proc 0x413ab0 (hwnd=0x500aa,msg=WM_SIZE,wp=00000000,lp=026302c7) 0023:Call user32.CallWindowProcW(683fa45e,000500aa,00000005,00000000,026302c7) ret=00413b26 0023:Call window proc 0x683fa45e (hwnd=0x500aa,msg=WM_SIZE,wp=00000000,lp=026302c7) 0023:Call user32.GetWindowLongW(000500aa,00000000) ret=683ee1cd 0023:Ret user32.GetWindowLongW() retval=00147fb8 ret=683ee1cd 0023:trace:treeview:TREEVIEW_WindowProc hwnd 0x500aa msg 0005 wp=00000000 lp=026302c7 0023:trace:treeview:TREEVIEW_SetFirstVisible 0x14e508: L"\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020\2020"... 0023:trace:treeview:TREEVIEW_GetVisibleCount client=611, item=18 0023:Call user32.GetSystemMetrics(00000014) ret=683f3ffa 0023:Ret user32.GetSystemMetrics() retval=00000010 ret=683f3ffa 0023:Call user32.ShowScrollBar(000500aa,00000000,00000001) ret=683f4203 0023:Ret user32.ShowScrollBar() retval=00000001 ret=683f4203 0023:Call user32.SetScrollInfo(000500aa,00000000,0032e900,00000001) ret=683f4239 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc458e0 ip=7bc458e0 tid=0023 0023:trace:seh:raise_exception info[0]=00000001 0023:trace:seh:raise_exception info[1]=20202024 0023:trace:seh:raise_exception eax=20202020 ebx=7bcc0084 ecx=000502b8 edx=20202020 esi=7ffdf000 edi=00000000 0023:trace:seh:raise_exception ebp=0032e388 esp=0032e388 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010216 ... --- snip ---

Small debugging session, immediately before the corruption:

--- snip --- Wine-dbg>bt Backtrace: =>0 0x684b301a GetTextExtentPoint32W(hdc=0x12b0, str="åååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååååå", count=0xa0, size=0x33f6cc) [/home/focht/projects/wine/wine-git/dlls/gdi32/font.c:1005] in gdi32 (0x0033f6e4) 1 0x683eac0f TREEVIEW_UpdateSubTree+0x111(infoPtr=0x1374e8, root=0x1622f0) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:998] in comctl32 (0x0033f714) 2 0x683f03e6 TREEVIEW_Expand+0x280(infoPtr=0x1374e8, item=0x1569a0, partial=0, user=0) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:3391] in comctl32 (0x0033f7a4) 3 0x683f0960 TREEVIEW_ExpandMsg+0x117(infoPtr=0x1374e8, flag=0x2, item=0x1569a0) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:3549] in comctl32 (0x0033f7f4) 4 0x683f59f4 TREEVIEW_WindowProc+0x595(hwnd=0x50084, uMsg=0x1102, wParam=0x2, lParam=0x1569a0) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:5621] in comctl32 (0x0033f854) 5 0x7c77e2d2 WINPROC_wrapper+0x19() in user32 (0x0033f884) 6 0x7c77e427 call_window_proc+0xcd(hwnd=0x50084, msg=0x1102, wp=0x2, lp=0x1569a0, result=0x33f904, arg=0x683f545e) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0033f8d4) 7 0x7c7809a1 CallWindowProcW+0x63(func=0x683f545e, hwnd=0x50084, msg=0x1102, wParam=0x2, lParam=0x1569a0) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:980] in user32 (0x0033f914) 8 0x00413b26 in examxmlpro (+0x13b25) (0x7c78093d) Wine-dbg>c Unhandled exception: page fault on write access to 0x20202024 in 32-bit code (0x7bc458e0). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc458e0 ESP:0033f134 EBP:0033f134 EFLAGS:00010206( R- -- I - -P- ) EAX:20202020 EBX:7bcc0084 ECX:0003b580 EDX:001100f8 ESI:7ffdf000 EDI:0033f4c8 Stack dump: 0x0033f134: 0033f194 7bc49e2c 0014b448 00000128 0x0033f144: 0033f15c 0012c7d0 7c7b9690 7c7b9690 0x0033f154: 0033f174 7c76b5de 00110014 0033f488 0x0033f164: 0033f174 7bc3342f 6851b024 00000001 0x0033f174: 0014b440 7bc33e58 6851b024 0033f488 0x0033f184: 00110000 00000128 0012c7d0 7c7b9690 000c: sel=0067 base=00000000 limit=00000000 32-bit rw- Backtrace: =>0 0x7bc458e0 list_remove+0xe(elem=0x14b448) [/home/focht/projects/wine/wine-git/include/wine/list.h:98] in ntdll (0x0033f134) 1 0x7bc49e2c RtlAllocateHeap+0x263(heap=0x110000, flags=0x2, size=0x123) [/home/focht/projects/wine/wine-git/dlls/ntdll/heap.c:1699] in ntdll (0x0033f194) 2 0x7c74cb82 update_visible_region+0x6c(dce=0x1394c8) [/home/focht/projects/wine/wine-git/dlls/user32/painting.c:123] in user32 (0x0033f294) 3 0x7c74ebf7 GetDCEx+0x538(hwnd=0x20022, hrgnClip=(nil), flags=0x12) [/home/focht/projects/wine/wine-git/dlls/user32/painting.c:1035] in user32 (0x0033f314) 4 0x68b6b5cb move_window_bits+0xbd(data=0x137a90, old_rect=0x33f594, new_rect=0x33f584, old_client_rect=0x33f3f0) [/home/focht/projects/wine/wine-git/dlls/winex11.drv/window.c:1620] in winex11 (0x0033f3b4) 5 0x68b6de93 X11DRV_WindowPosChanged+0x2cb(hwnd=0x50084, insert_after=(nil), swp_flags=0x1037, rectWindow=0x33f5b4, rectClient=0x33f5a4, visible_rect=0x33f518, valid_rects=0x33f584) [/home/focht/projects/wine/wine-git/dlls/winex11.drv/window.c:2524] in winex11 (0x0033f454) 6 0x7c77b9ed set_window_pos+0x39d(hwnd=0x50084, insert_after=(nil), swp_flags=0x1037, window_rect=0x33f5b4, client_rect=0x33f5a4, valid_rects=0x33f584) [/home/focht/projects/wine/wine-git/dlls/user32/winpos.c:2006] in user32 (0x0033f554) 7 0x7c77bc93 USER_SetWindowPos+0x29a(winpos=0x33f624) [/home/focht/projects/wine/wine-git/dlls/user32/winpos.c:2077] in user32 (0x0033f5e4) 8 0x7c77bfcb SetWindowPos+0x139(hwnd=0x50084, hwndInsertAfter=(nil), x=0, y=0, cx=0, cy=0, flags=0x37) [/home/focht/projects/wine/wine-git/dlls/user32/winpos.c:2151] in user32 (0x0033f654) 9 0x7c756239 SCROLL_ShowScrollBar+0x180(hwnd=0x50084, nBar=0, fShowH=0x1, fShowV=0) [/home/focht/projects/wine/wine-git/dlls/user32/scroll.c:1987] in user32 (0x0033f6a4) 10 0x7c7562ac ShowScrollBar+0x49(hwnd=0x50084, nBar=0, fShow=0x1) [/home/focht/projects/wine/wine-git/dlls/user32/scroll.c:2014] in user32 (0x0033f6c4) 11 0x683ef203 TREEVIEW_UpdateScrollBars+0x38c(infoPtr=0x1374e8) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:2825] in comctl32 (0x0033f714) 12 0x683f03f1 TREEVIEW_Expand+0x28b(infoPtr=0x1374e8, item=0x1569a0, partial=0, user=0) [/home/focht/projects/wine/wine-git/dlls/comctl32/treeview.c:3392] in comctl32 (0x0033f7a4) ... --- snip ---

'winetricks comctl32' fixes the crash/corruption.

$ sha1sum examxmlpro.exe ccbd325c3f3e73afbc7d3ccaa8ba6574dc23409c examxmlpro.exe

$ wine --version wine-1.3.35-43-gd9d4a06

Regards