[Bug 35269] New: Mobile Master crashes on startup (array-index out of bounds for IFile_tid in scrrun get_typeinfo)

http://bugs.winehq.org/show_bug.cgi?id=35269

Bug ID: 35269 Summary: Mobile Master crashes on startup (array-index out of bounds for IFile_tid in scrrun get_typeinfo) Product: Wine Version: 1.7.9 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: scrrun Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Classification: Unclassified

Hello folks,

while verifying bug 27180 I stumbled into another problem :|

Relevant part of backtrace:

--- snip --- Unhandled exception: page fault on read access to 0x00000001 in 32-bit code (0xf7550803). ... Backtrace: =>0 0xf7550803 __memcmp_sse4_2+0x163() in libc.so.6 (0x0033e488) 1 0x7e713a8e ITypeLib2_fnGetTypeInfoOfGuid+0xcd(iface=<couldn't compute location>, guid=<couldn't compute location>, ppTInfo=<couldn't compute location>) [/home/focht/projects/wine/wine-git/dlls/oleaut32/typelib.c:4960] in oleaut32 (0x0033e488) 2 0x7ded5435 get_typeinfo+0x81(tid=IFile_tid, typeinfo=0x33e548) [/home/focht/projects/wine/wine-build32/dlls/scrrun/../../include/oaidl.h:2669] in scrrun (0x0033e508) 3 0x7ded0ad7 file_GetIDsOfNames+0xba(iface=<couldn't compute location>, riid=<couldn't compute location>, rgszNames=<couldn't compute location>, cNames=<couldn't compute location>, lcid=<couldn't compute location>, rgDispId=<couldn't compute location>) [/home/focht/projects/wine/wine-git/dlls/scrrun/filesystem.c:704] in scrrun (0x0033e588) 4 0x72a478d1 in msvbvm60 (+0x1078d0) (0x0033e5b8) 5 0x72a48336 in msvbvm60 (+0x108335) (0x0033e5e4) 6 0x72a410e0 in msvbvm60 (+0x1010df) (0x0033f848) 7 0x72991d33 in msvbvm60 (+0x51d32) (0x0033f854) 8 0x004454e4 in mobilemaster (+0x454e3) (0x0033f864) ... 0xf7550803 __memcmp_sse4_2+0x163 in libc.so.6: movl 0xfffffff0(%edx),%ebx Modules: Module Address Debug info Name (72 modules) PE 400000- bc6000 Export mobilemaster PE 113d0000-114c0000 Deferred tssofficemenu1d PE 72940000-72a93000 Export msvbvm60 ELF 7b800000-7ba61000 Dwarf kernel32<elf> ... Threads: process tid prio (all id:s are in hex) ... 00000024 MMStarter.exe 00000025 0 00000026 (D) C:\Program Files\Mobile Master\MobileMaster.exe 00000029 0 00000028 0 00000027 0 <== --- snip ---

Trace log with +ole gives a bit of hint ...

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Mobile Master

$ WINEDEBUG=+tid,+seh,+relay,+scrrun,+typelib wine ./MMStarter.exe >>log.txt 2>&1 ...

0026:trace:scrrun:file_GetIDsOfNames (0x152b538)->({00000000-0000-0000-0000-000000000000} 0x33e5c0 1 1033 0x33e5c4) 0026:trace:ole:ITypeLib2_fnGetTypeInfoOfGuid 0x173af8 <guid-0x0001> 0x33e4c4 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf748d803 ip=f748d803 tid=0026 0026:trace:seh:raise_exception info[0]=00000000 0026:trace:seh:raise_exception info[1]=00000001 0026:trace:seh:raise_exception eax=001773d8 ebx=f748d800 ecx=42c642c1 edx=00000011 esi=0033e4a0 edi=7deecda0 0026:trace:seh:raise_exception ebp=0033e488 esp=0033e428 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010287 --- snip ---

Strange GUID in second parameter of ITypeLib2_fnGetTypeInfoOfGuid() ;-)

Source: http://source.winehq.org/git/wine.git/blob/a29d77088ac2b07fb68d84646be2884f4...

--- snip --- 24 typedef enum tid_t 25 { 26 NULL_tid, 27 IDictionary_tid, 28 IFileSystem3_tid, 29 IFolder_tid, 30 ITextStream_tid, 31 IFile_tid, 32 LAST_tid 33 } tid_t; --- snip ---

The corresponding array and referencing code:

Source: http://source.winehq.org/git/wine.git/blob/a29d77088ac2b07fb68d84646be2884f4...

--- snip --- 103 static REFIID tid_ids[] = { 104 &IID_NULL, 105 &IID_IDictionary, 106 &IID_IFileSystem3, 107 &IID_IFolder, 108 &IID_IFile 109 };

...

127 HRESULT get_typeinfo(tid_t tid, ITypeInfo **typeinfo) 128 { ... 136 if(!typeinfos[tid]) { 137 ITypeInfo *ti; 138 139 hres = ITypeLib_GetTypeInfoOfGuid(typelib, tid_ids[tid], &ti); 140 if(FAILED(hres)) { 141 ERR("GetTypeInfoOfGuid(%s) failed: %08x\n", debugstr_guid(tid_ids[tid]), hres); 142 } 144 ... 151 } --- snip ---

'ITextStream_tid' was added with commit http://source.winehq.org/git/wine.git/commitdiff/49a8d4ecb0cb868451c7ba3ded3... but the array was not synchronized leading to out-of-bound indexing for 'IFile_tid'.

$ sha1sum MobileMasterInst.exe 0bedc83c67f4a0181aac916150457f395f095526 MobileMasterInst.exe

$ du -sh MobileMasterInst.exe 21M MobileMasterInst.exe

$ wine --version wine-1.7.9-209-gb231b4b

Regards