[Bug 22829] Sysinternals RAMMap crashes (shell32.CommandLineToArgvW needs to include terminating NULL element in returned array of pointers)

http://bugs.winehq.org/show_bug.cgi?id=22829

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW URL|http://download.sysinternal |http://technet.microsoft.co |s.com/Files/RAMMap.zip |m/en-us/sysinternals/ff7002 | |29 Component|-unknown |shell32 CC| |focht@gmx.net Ever Confirmed|0 |1 Summary|Sysinternals RAMMap crashes |Sysinternals RAMMap crashes | |(shell32.CommandLineToArgvW | |needs to include | |terminating NULL element in | |returned array of pointers)

--- Comment #4 from Anastasius Focht focht@gmx.net 2012-04-07 06:07:25 CDT --- Hello,

confirming. It seems the app expects CommandLineToArgvW() to return a terminating NULL element in returned array of pointers.

MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/bb776391%28v=vs.85%2...

There is a comment in community section (non Microsoft) stating:

--- quote --- No extra NULL element Unlike main and wmain, CommandLineToArgvW does not have an extra element of argv[argc] == NULL. Trying to do this will result in reading past the end of the pointer list. --- quote ---

This doesn't seem true.

The application code does _exactly_ that: ignoring the returned "argc" value and looping through returned pointer list to look for terminating NULL element.

Relevant application code, annotated:

--- snip --- 0040EB18 33FF XOR EDI,EDI ... 0040EB45 8D4424 44 LEA EAX,[LOCAL.165] ; __out int *pNumArgs 0040EB49 50 PUSH EAX 0040EB4A 897C24 14 MOV DWORD PTR SS:[LOCAL.178],EDI 0040EB4E FF15 50B24200 CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineW>] 0040EB54 50 PUSH EAX ; lpCmdLine 0040EB55 FF15 ACB24200 CALL DWORD PTR DS:[<&SHELL32.CommandLineToArgvW>] 0040EB5B 8BF0 MOV ESI,EAX 0040EB5D 897C24 14 MOV DWORD PTR SS:[LOCAL.177],EDI ; local_argc = 0 0040EB61 393E CMP DWORD PTR DS:[ESI],EDI ; argv[0] == NULL ? 0040EB63 0F84 8A000000 JE 0040EBF3 0040EB69 8BDE MOV EBX,ESI arg_store_loop: 0040EB6B 68 F8164300 PUSH OFFSET 004316F8 ... 0040EB97 FF4424 14 INC DWORD PTR SS:[LOCAL.177] ... 0040EBD9 8B4424 14 MOV EAX,DWORD PTR SS:[LOCAL.177] 0040EBDD 8D1C86 LEA EBX,[EAX*4+ESI] 0040EBE0 833B 00 CMP DWORD PTR DS:[EBX],0 0040EBE3 75 86 JNE SHORT 0040EB6B ; arg_store_loop --- snip ---

Calling the app with some arguments:

--- snip --- $ wine ./RAMMap.exe arg1 arg2 arg3 --- snip ---

Dump of corresponding memory block Wine returns (heap metadata prepended for convenience)

--- snip --- 0012C438 00000078 0012C43C 00455355 USE 0012C440 0012C450 ; UNICODE "Z:\home\focht\Downloads\RAMMap.exe" 0012C444 0012C49A ; UNICODE "arg1" 0012C448 0012C4A4 ; UNICODE "arg2" 0012C44C 0012C4AE ; UNICODE "arg3" 0012C450 003A005A Z : 0012C454 0068005C \ h 0012C458 006D006F o m 0012C45C 005C0065 e \ 0012C460 006F0066 f o 0012C464 00680063 c h 0012C468 005C0074 t \ 0012C46C 006F0044 D o 0012C470 006E0077 w n 0012C474 006F006C l o 0012C478 00640061 a d 0012C47C 005C0073 s \ 0012C480 00410052 R A 0012C484 004D004D M M 0012C488 00700061 a p 0012C48C 0065002E . e 0012C490 00650078 x e 0012C494 00220000 0012C498 00610020 a 0012C49C 00670072 r g 0012C4A0 00000031 1 0012C4A4 00720061 a r 0012C4A8 00320067 g 2 0012C4AC 00610000 a 0012C4B0 00670072 r g 0012C4B4 00000033 3 --- snip ---

Iteration 5: "argv[4]" -> 0x0012C450 -> dereference: 0x003A005A (already part of argv[0] string). The address is mapped by chance (thread stack at 0x3A0000) not triggering page fault.

Iteration 6: "argv[5]" -> 0x0012C454 -> dereference: 0x0068005C This virtual address is not mapped, triggering fault, crashing the app.

Source: http://source.winehq.org/git/wine.git/blob/f445325999ebf3afd0b7df0e5c1a31eeb...

RAMMap v1.11 By Mark Russinovich and Bryce Cogswell Published: May 18, 2011

$ sha1sum RAMMap.exe 7f24fc771549d159d1ae4b3ea6e314750ce07a70 RAMMap.exe

$ wine --version wine-1.5.1-169-g1c62c9f

Regards