http://bugs.winehq.org/show_bug.cgi?id=8844
truiken@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|wine-msi |wine-misc
------- Additional Comments From truiken@gmail.com 2007-06-07 03:07 ------- The custom action directly calls RtlAllocateHeap with size 0x10. It uses this buffer to convert the product/package/upgrade code guids into an encoded form. The encoded value is 32 characters long (plus one for null terminator), which is much longer than the 16 bytes allocated. The custom action corrupts the heap by overrunning the allocated buffer. This is not a bug in MSI, though I don't know how it could work in Windows (but it does).
0012:Call ntdll.RtlAllocateHeap(006c0000,00000000,00000010) ret=100091f0 0012:Ret ntdll.RtlAllocateHeap() retval=006c03c8 ret=100091f0 0012:Call msi.MsiSetPropertyA(00000001,1001ea10 "ENCODEDPRODUCTCODE",006c03c8 "84A88FD7F6998CE40A22FB59F6B9C2BB") ret=100038c2