[Bug 37822] New: Monopolie 0.9.7 (VB6 game) crashes while trying to load OLE compound document (WAV file) via Packager

https://bugs.winehq.org/show_bug.cgi?id=37822

Bug ID: 37822 Summary: Monopolie 0.9.7 (VB6 game) crashes while trying to load OLE compound document (WAV file) via Packager Product: Wine Version: 1.7.33 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 37818 and bug 37820 if the OLE1 keys were added via 'regedit' import.

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Monopolie

$ WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+packager wine ./Monopolie\ 0.9.7.exe >>log.txt 2>&1 ... 0023:Call user32.CreateWindowExA(00000004,0000c058,01149e68 "&Buy",4c012000,00000008,00000008,00000049,0000001d,000300aa,00000006,73420000,00000000) ret=7343f9e2 ... 0023:Ret user32.ShowWindow() retval=00000000 ret=73456dc5 ... 0023:Call ole32.StgCreateDocfile(00000000,04001012,00000000,0033e30c) ret=734c8828 0023:Call KERNEL32.GetTempPathW(00000104,0033de08) ret=7e99c926 0023:Ret KERNEL32.GetTempPathW() retval=00000014 ret=7e99c926 0023:Call KERNEL32.GetTempFileNameW(0033de08 L"C:\users\focht\Temp\",7ea2da06 L"STO",00000000,0033e010) ret=7e99c960 0023:Ret KERNEL32.GetTempFileNameW() retval=0000a5a9 ret=7e99c960 0023:Call KERNEL32.CreateFileW(0033e010 L"C:\users\focht\Temp\STOa5a9.tmp",c0000000,00000001,00000000,00000005,14000000,00000000) ret=7e99ca0b 0023:Ret KERNEL32.CreateFileW() retval=000000a0 ret=7e99ca0b ... 0023:Call KERNEL32.SetFilePointerEx(000000a0,00003800,00000000,00000000,00000000) ret=7e95bf78 0023:Ret KERNEL32.SetFilePointerEx() retval=00000001 ret=7e95bf78 0023:Call KERNEL32.WriteFile(000000a0,01e52b48,00000200,0033d8f4,00000000) ret=7e95bfbb 0023:Ret KERNEL32.WriteFile() retval=00000001 ret=7e95bfbb ... --- snip ---

The game writes out a WAV file as OLE compound storage object (temp file) and later tries to load it via Packager.

--- snip --- ... 0023:Call ole32.ReadClassStg(01e4a7b0,0033e2d4) ret=734aa8b9 0023:Ret ole32.ReadClassStg() retval=00000000 ret=734aa8b9 0023:Call ole32.OleDoAutoConvert(01e4a7b0,0033e2e4) ret=734aa8ce 0023:trace:ole:OleDoAutoConvert (0x1e4a7b0, 0x33e2e4) 0023:Call ntdll.RtlInitUnicodeString(0033e050,0033e0a2 L"CLSID\{0003000D-0000-0000-C000-000000000046}") ret=7e93f764 0023:Ret ntdll.RtlInitUnicodeString() retval=0033e050 ret=7e93f764 0023:Call ntdll.NtOpenKey(0033e09c,00020019,0033e058) ret=7e93f780 0023:Ret ntdll.NtOpenKey() retval=00000000 ret=7e93f780 0023:Call ntdll.RtlNtStatusToDosError(00000000) ret=7e93f78b 0023:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=7e93f78b 0023:Call ntdll.RtlInitUnicodeString(0033e050,7ea296fc L"AutoConvertTo") ret=7e93f764 0023:Ret ntdll.RtlInitUnicodeString() retval=0033e050 ret=7e93f764 0023:Call ntdll.NtOpenKey(0033e178,00020019,0033e058) ret=7e93f780 0023:Ret ntdll.NtOpenKey() retval=c0000034 ret=7e93f780 0023:Call ntdll.RtlNtStatusToDosError(c0000034) ret=7e93f78b 0023:Ret ntdll.RtlNtStatusToDosError() retval=00000002 ret=7e93f78b 0023:Call advapi32.RegCloseKey(000000a4) ret=7e9441f9 0023:Ret advapi32.RegCloseKey() retval=00000000 ret=7e9441f9 0023:Ret ole32.OleDoAutoConvert() retval=80040152 ret=734aa8ce 0023:Call ole32.CoGetClassObject(0033e2e4,00000003,00000000,7343a3b8,0033e2ac) ret=734a6939 0023:trace:ole:CoGetClassObject CLSID: {0003000d-0000-0000-c000-000000000046},IID: {00000000-0000-0000-c000-000000000046} ... 0023:warn:ole:CoGetClassObject class {0003000d-0000-0000-c000-000000000046} not registered as in-proc server ... 0023:err:ole:CoGetClassObject no class object {0003000d-0000-0000-c000-000000000046} could be created for context 0x3 0023:Ret ole32.CoGetClassObject() retval=80040154 ret=734a6939 ... 0023:Call ole32.OleLoad(01e4a7b0,73476c78,01149864,0033e2fc) ret=734aa991 0023:trace:ole:OleLoad (0x1e4a7b0, {00000112-0000-0000-c000-000000000046}, 0x1149864, 0x33e2fc) 0023:trace:ole:CoCreateInstance (rclsid={0003000d-0000-0000-c000-000000000046}, pUnkOuter=(nil), dwClsContext=00000003, riid={00000112-0000-0000-c000-000000000046}, ppv=0x33e1fc) 0023:trace:ole:CoGetTreatAsClass ({0003000d-0000-0000-c000-000000000046},0x33e0e8) ... 0023:trace:ole:guid_from_string L"{F20DA720-C02F-11CE-927B-0800095AE340}" -> 0x33e0e8 0023:Call advapi32.RegCloseKey(000000a8) ret=7e947347 0023:Ret advapi32.RegCloseKey() retval=00000000 ret=7e947347 0023:trace:ole:CoGetClassObject CLSID: {f20da720-c02f-11ce-927b-0800095ae340},IID: {00000001-0000-0000-c000-000000000046} ... 0023:trace:ole:COMPOBJ_DllList_Add L"C:\windows\system32\packager.dll" 0023:Call KERNEL32.LoadLibraryExW(0033dd6e L"C:\windows\system32\packager.dll",00000000,00000008) ret=7e93f8f8 0023:Call PE DLL (proc=0x7d685380,module=0x7d680000 L"packager.dll",reason=PROCESS_ATTACH,res=(nil)) 0023:trace:packager:DllMain (0x7d680000, 1, (nil)) ... 0023:Ret PE DLL (proc=0x7d685380,module=0x7d680000 L"packager.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 0023:Ret KERNEL32.LoadLibraryExW() retval=7d680000 ret=7e93f8f8 ... 0023:trace:ole:apartment_getclassobject added new loaded dll L"C:\windows\system32\packager.dll" 0023:trace:ole:apartment_getclassobject calling DllGetClassObject 0x7d68284c 0023:Call packager.DllGetClassObject(0033e0e8,7ea3200c,0033e0f8) ret=7e941f05 0023:trace:packager:DllGetClassObject ({f20da720-c02f-11ce-927b-0800095ae340}, {00000001-0000-0000-c000-000000000046}, 0x33e0f8) 0023:trace:packager:PackageCF_QueryInterface (static)->({00000001-0000-0000-c000-000000000046}, 0x33e0f8) 0023:trace:packager:PackageCF_AddRef (static) 0023:Ret packager.DllGetClassObject() retval=00000000 ret=7e941f05 0023:Call advapi32.RegCloseKey(000000a8) ret=7e945a72 0023:Ret advapi32.RegCloseKey() retval=00000000 ret=7e945a72 0023:trace:packager:PackageCF_CreateInstance (static)->((nil), {00000112-0000-0000-c000-000000000046}, 0x33e1fc) 0023:Call ntdll.RtlAllocateHeap(00110000,00000008,00000218) ret=7d685043 0023:Ret ntdll.RtlAllocateHeap() retval=00170528 ret=7d685043 0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IOleObject, 0x33e1fc) 0023:trace:packager:OleObject_AddRef (0x170528) ref=1 0023:trace:packager:PackageCF_Release (static) 0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IOleObject, 0x33e1f8) 0023:trace:packager:OleObject_AddRef (0x170528) ref=2 0023:trace:packager:OleObject_GetMiscStatus (0x170528)->(1, 0x33e1ac) 0023:trace:packager:OleObject_QueryInterface (0x170528)->(IID_IPersistStorage, 0x33e200) 0023:trace:packager:OleObject_AddRef (0x170528) ref=3 0023:trace:packager:PersistStorage_Load (0x170528)->(0x1e4a7b0) 0023:Call ntdll.RtlAllocateHeap(00110000,00000000,00000028) ret=7e98e2e8 0023:Ret ntdll.RtlAllocateHeap() retval=0017f1a0 ret=7e98e2e8 0023:Call KERNEL32.SetFilePointerEx(000000a0,00001800,00000000,00000000,00000000) ret=7e95bd7c 0023:Ret KERNEL32.SetFilePointerEx() retval=00000001 ret=7e95bd7c 0023:Call KERNEL32.ReadFile(000000a0,01e53b58,00000200,0033c734,00000000) ret=7e95bdbf 0023:Ret KERNEL32.ReadFile() retval=00000001 ret=7e95bdbf ... 0023:Call KERNEL32.ReadFile(000000a0,0033fb00,00000200,0033c7e4,00000000) ret=7e95bdbf 0023:Ret KERNEL32.ReadFile() retval=00000001 ret=7e95bdbf 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7d6843b2 ip=7d6843b2 tid=0023 0023:trace:seh:raise_exception info[0]=00000000 0023:trace:seh:raise_exception info[1]=7475020f 0023:trace:seh:raise_exception eax=74750203 ebx=7d689000 ecx=0017f1a0 edx=00000000 esi=0033e180 edi=0033e290 0023:trace:seh:raise_exception ebp=0033e168 esp=0033cab0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210246 0023:trace:seh:call_stack_handlers calling handler at 0x84807984 code=c0000005 flags=0 <stack overflow> --- snip ---

There are four streams present:

* Ole (20 bytes) * CompObj (76 bytes) * OlePres000 (3256 bytes) * Ole10Native (8196 bytes)

Source: http://source.winehq.org/git/wine.git/blob/7ef536001fa0da54dafbc32a206343ee5...

--- snip --- Wine-dbg>n 444 hr = IStream_Read(stream, &payload_size, 4, NULL);

Wine-dbg>n PersistStorage_Load () at /home/focht/projects/wine/wine.repo/build-x86/dlls/packager/../../include/objidl.h:4381 4381 return This->lpVtbl->Read(This,pv,cb,pcbRead);

Wine-dbg>n err:seh:setup_exception_record stack overflow 1104 bytes in thread 0023 eip 7bc4452f esp 00240ee0 stack 0x240000-0x241000-0x340000 Process of pid=0022 has terminated --- snip ---

$ sha1sum monopolie0.9.7-installer.exe b7cff9b04b11c55b5d1fa4cddb2f0914f61b6653 monopolie0.9.7-installer.exe

$ du -sh monopolie0.9.7-installer.exe 1.7M monopolie0.9.7-installer.exe

$ wine --version wine-1.7.33-117-g6bab173

Regards