https://bugs.winehq.org/show_bug.cgi?id=35127
--- Comment #15 from Zhiyi Zhang yi.gd.cn@gmail.com --- This is due to the application try to write to internal structure.
$ winedbg winedbg>break TREEVIEW_SendCustomDrawItemNotify winedbg>c winedbg>watch * (value of item + 0x18) winedbg>c watchpoint should now be triggered
Using 'info reg',you should see that ESI points to item,and the instruction tried to write to $item+0x1a.
Wine-dbg>disas 0x004f1040,0x004f1080 disas 0x004f1040,0x004f1080 0x004f1040: jl 0x004f1066 0x004f1042: orb %dl,0xffffff8b(%edi) 0x004f1045: pushl %ecx 0x004f1046: clc 0x004f1047: pushl %edx 0x004f1048: movl 0x8(%eax),%edx 0x004f104b: pushl %ecx 0x004f104c: pushl %edx 0x004f104d: call *0x6b3234 -> 0x7eaed64c GetTextExtentPoint32A [/home/eric/source/wine/wine/dlls/gdi32/font.c:1140] in gdi32 0x004f1053: movl 0x8(%esp),%eax <- 0x8(%esp) is 0x0000004e 0x004f1057: leal 0x24(%esp),%ecx 0x004f105b: addl $4,%eax <- +4, then %eax is the written value 0x004f105e: movl $0xffffffff,0x18(%esp) 0x004f1066: movw %ax,0x1a(%esi) <- corrupts item->pszText,accordding to calling GetTextExtentPoint32A,the application is trying to write to item->textWidth directly. You can also verify this by print out value of textWidth and written value. They should be off by 4. 0x004f106a: andl $0xffff,%eax 0x004f106f: movl %eax,%esi 0x004f1071: call 0x00687e76 0x004f1076: movl 0x10(%esp),%ecx 0x004f107a: movl %esi,%eax 0x004f107c: popl %edi 0x004f107d: popl %esi 0x004f107e: movl %ecx,%fs:0x00000000
Wine-dbg>x 0x0033e268 0x8(%esp) x 0x0033e268 0000004e
However in comctl32/treeview.c#L139 struct _TREEITEM. In struct _TREEITEM, $item+0x1a points to none of the members, because they are all 4 bytes aligned. By writing to $item+0x1a, item->pszText gets corrupted.
By adding a 2 bytes padding before item->pszText to workground this. The application runs.
Since the application expect textWidth to be at $item+0x1a and textWidth to be 2 bytes long, try move the position of textWidth also works. However, textWidth now is 4 bytes.Moving textWidth also make it corrupted. But it seems that the application still runs.