http://bugs.winehq.org/show_bug.cgi?id=34869

Bug #: 34869 Summary: Microsoft Office 2013 full offline installer crashes on startup (TEB access with NULL TLS array pointer, failure to handle case where only late-bound modules have TLS directory) Product: Wine Version: 1.7.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified

Hello folks,

as the summary says...

--- snip --- ... Unhandled exception: page fault on read access to 0x00000000 in 32-bit code Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:00b51ce1 ESP:0033c754 EBP:0033c77c EFLAGS:00010282( R- -- I S - - - ) EAX:00000000 EBX:00000000 ECX:00000000 EDX:00cdeac8 ESI:00e4d2a0 EDI:00000001 Stack dump: 0x0033c754: b97c320d 00000001 00e4d2a0 00000000 0x0033c764: 00e58a88 0033c78c 0033c714 0033c798 0x0033c774: 00c54f38 ffffffff 0033c7a4 00b51678 0x0033c784: b97c32d5 00000001 00e4d2a0 00000000 0x0033c794: 0033c784 0033cf04 00c54e11 00000002 0x0033c7a4: 0033c7c0 00a5f68d 00000000 00e3ecf0 000c: sel=0067 base=00000000 limit=00000000 16-bit --x Backtrace: =>0 0x00b51ce1 in osetup (+0x3e1ce1) (0x0033c77c) 1 0x00b51678 in osetup (+0x3e1677) (0x0033c7a4) 2 0x00a5f68d in osetup (+0x2ef68c) (0x0033c7c0) 3 0x00a42d02 in osetup (+0x2d2d01) (0x0033cee0) 4 0x00a391d4 in osetup (+0x2c91d3) (0x0033cf10) 5 0x009ae85c in osetup (+0x23e85b) (0x0033f5c4) 6 0x1002d3c7 in setup (+0x2d3c6) (0x0033fcd4) 7 0x1002b0c3 in setup (+0x2b0c2) (0x0033fd74) 8 0x004027f2 in setup (+0x27f1) (0x0033fd90) 9 0x00402eb2 in setup (+0x2eb1) (0x0033fe20) 10 0x7b863d4c call_process_entry+0xb() in kernel32 (0x0033fe38) ... 0x00b51ce1: movl 0x0(%eax,%ecx,4),%edi Modules: Module Address Debug info Name (84 modules) PE 350000- 37f000 Deferred osetupui PE 400000- 434000 Export setup PE 770000- e3b000 Export osetup PE 10000000-100d3000 Export setup ... Threads: process tid prio (all id:s are in hex) ... 00000023 (D) E:\setup.exe 00000025 0 00000024 0 <== --- snip ---

Crashing code:

--- snip --- Wine-dbg>disas $EIP-0xC 0x00b51cd5: movl %fs:0x2c,%eax 0x00b51cdb: movl 0x00ce69d8,%ecx 0x00b51ce1: movl 0x0(%eax,%ecx,4),%edi --- snip ---

It's accessing a TEB with NULL TLS array pointer.

Wine's loader only allocates process-wide and per-thread structure for module TLS storage if at least one of the initial modules has a TLS directory (LdrInitializeThunk). Unfortunately no early-bound module has TLS directory/section hence "tls_module_count" is zero. The DLL in question is late bound -> MODULE_DllThreadAttach -> alloc_thread_tls -> (tls_module_count == 0).

Loader info for dll in question:

--- snip --- ... 0030:Call KERNEL32.LoadLibraryExW(00548640 L"E:\omui.id-id\OSETUP.DLL",00000000,00001000) ret=1002c2db ... 0030:trace:module:load_native_dll Trying native dll L"E:\omui.id-id\OSETUP.DLL" 0030:trace:module:map_image mapped PE file at 0x770000-0xe3b000 0030:trace:module:map_image mapping section .text at 0x771000 off 400 size 51d200 virt 51d0e4 flags 60000020 0030:trace:module:map_image clearing 0xc8e200 - 0xc8f000 0030:trace:module:map_image mapping section .data at 0xc8f000 off 51d600 size 51400 virt 58d38 flags c0000040 0030:trace:module:map_image clearing 0xce0400 - 0xce1000 0030:trace:module:map_image mapping section .tls at 0xce8000 off 0 size 0 virt 9 flags c0000080 0030:trace:module:map_image mapping section .rsrc at 0xce9000 off 56ea00 size 118e00 virt 118db8 flags 40000040 0030:trace:module:map_image clearing 0xe01e00 - 0xe02000 0030:trace:module:map_image mapping section .reloc at 0xe02000 off 687800 size 38c00 virt 38bec flags 42000040 0030:trace:module:map_image clearing 0xe3ac00 - 0xe3b000 0030:trace:module:map_image relocating from 0x10000000-0x106cb000 to 0x770000-0xe3b000 --- snip ---

$ wine --version wine-1.7.5-336-gb43b7b6

Regards