[Bug 30567] Paltalk Messenger crashes on start (kernel32.OutputDebugStringA needs to cope with NULL pointer)

http://bugs.winehq.org/show_bug.cgi?id=30567

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Version|unspecified |1.5.3 URL| |www.paltalk.com/download/0. | |x/pal_install_r110010.exe Keywords| |download Component|-unknown |kernel32 CC| |focht@gmx.net Ever Confirmed|0 |1 Summary|Paltalk Messenger crashes |Paltalk Messenger crashes |on start |on start | |(kernel32.OutputDebugString | |A needs to cope with NULL | |pointer)

--- Comment #4 from Anastasius Focht focht@gmx.net 2012-05-02 14:50:12 CDT --- Hello,

confirming. There is a crash when trying to login (you can use any input for testing).

The app makes extensive use of OutputDebugString() API for logging purpose.

--- snip --- ... 0037:Call KERNEL32.OutputDebugStringA(00882c34 "palserver::NetworkingError\n ") ret=006fcd54 0037:warn:debugstr:OutputDebugStringA "palserver::NetworkingError\n " 0037:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=006fcd54 0037:Call KERNEL32.OutputDebugStringA(00000000) ret=006fcd5e 0037:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b835877 ip=7b835877 tid=0037 0037:trace:seh:raise_exception info[0]=00000000 0037:trace:seh:raise_exception info[1]=00000000 0037:trace:seh:raise_exception eax=00000000 ebx=7b8b06b0 ecx=ffffffff edx=00000000 esi=0d19e834 edi=00000000 0037:trace:seh:raise_exception ebp=0d19e908 esp=0d19e800 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010212 --- snip ---

The relevant app code:

--- snip --- 006FCD40 55 PUSH EBP 006FCD41 8BEC MOV EBP,ESP 006FCD43 83EC 08 SUB ESP,8 006FCD46 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 006FCD49 68 342C8800 PUSH OFFSET 00882C34 ; "palserver::NetworkingError " 006FCD4E FF15 B8B38600 CALL DWORD PTR DS:[<&KERNEL32.OutputDebugStringA>] 006FCD54 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0C] 006FCD57 50 PUSH EAX ; NULL ptr 006FCD58 FF15 B8B38600 CALL DWORD PTR DS:[<&KERNEL32.OutputDebugStringA>] 006FCD5E 68 60DE8600 PUSH OFFSET 0086DE60 006FCD63 FF15 B8B38600 CALL DWORD PTR DS:[<&KERNEL32.OutputDebugStringA>] 006FCD69 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 006FCD6C 8B91 AC000000 MOV EDX,DWORD PTR DS:[ECX+0AC] 006FCD72 52 PUSH EDX 006FCD73 6A 00 PUSH 0 006FCD75 FF15 18B88600 CALL DWORD PTR DS:[<&USER32.KillTimer>] ... --- snip ---

The caller passes a hard-coded NULL pointer parameter to second OutputDebugStringA:

--- snip --- 006FCFFA 6A 00 PUSH 0 006FCFFC 6A 00 PUSH 0 006FCFFE 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 006FD001 E8 3AFDFFFF CALL 006FCD40 006FD006 33C0 XOR EAX,EAX --- snip ---

Wine needs to cope with NULL ptr passed to OutputDebugStringA.

Source: http://source.winehq.org/git/wine.git/blob/b5a33dab886df6352011457932713ed32...

--- snip --- 243 void WINAPI OutputDebugStringA( LPCSTR str ) 244 { 245 static HANDLE DBWinMutex = NULL; 246 static BOOL mutex_inited = FALSE; 247 248 /* send string to attached debugger */ 249 SERVER_START_REQ( output_debug_string ) 250 { 251 req->string = wine_server_client_ptr( str ); 252 req->length = strlen(str) + 1; 253 wine_server_call( req ); 254 } 255 SERVER_END_REQ; 256 257 WARN("%s\n", debugstr_a(str)); --- snip ---

Crash is at line 252 (strlen).

With OutputDebugStringA fixed the app doesn't crash and validates the login. I don't have an account to play further.

$ du -sh pal_install_r110010.exe 24M pal_install_r110010.exe

$ sha1sum pal_install_r110010.exe c83e74876b47a8b5e9f25fd3f4652704c0de1ee5 pal_install_r110010.exe

$ wine --version wine-1.5.3-73-g93a0ca7

Regards