https://bugs.winehq.org/show_bug.cgi?id=5961

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |focht@gmx.net Hardware|Other |x86 Resolution|--- |WONTFIX Summary|MS Money 2006 trial setup |Microsoft Money 2006 trial |causes heap err on exit |installer causes heap error | |on exit (broken | |application) OS|other |Linux

--- Comment #12 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

There is nothing to fix here, it's a bug in the Microsoft installer.

One can unwrap the first installer and use the second-level installer directly.

--- snip --- $ WINEDEBUG=+tid,+seh,+relay ./mnyinst.exe /Licewarmup /BOOTSTRAPPERLAUNCH

...

log.txt 2>&1

... 0039:Call KERNEL32.LocalFree(0014cdd8) ret=0041b16d 0039:Ret KERNEL32.LocalFree() retval=00000000 ret=0041b16d 0039:Call KERNEL32.LocalFree(736f7263) ret=0041b1c4 0039:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b8467e0 ip=7b8467e0 tid=0039 0039:trace:seh:raise_exception info[0]=00000000 0039:trace:seh:raise_exception info[1]=736f7261 0039:trace:seh:raise_exception eax=736f7261 ebx=7b8bb000 ecx=9388d9af edx=0033f9c0 esi=0033fb3c edi=0033fb14 0039:trace:seh:raise_exception ebp=0033fac8 esp=0033f9a0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0039:trace:seh:call_stack_handlers calling handler at 0x7b889fef code=c0000005 flags=0 0039:trace:seh:__regs_RtlUnwind code=c0000005 flags=2 0039:trace:seh:__regs_RtlUnwind calling handler at 0x7bc82489 code=c0000005 flags=2 0039:trace:seh:__regs_RtlUnwind handler at 0x7bc82489 returned 1 0039:err:heap:GlobalFree (0x736f7263): Page fault occurred ! Caused by bug ? 0039:Ret KERNEL32.LocalFree() retval=736f7263 ret=0041b1c4 --- snip ---

The installer uses instance data for each dialog page (eula, accept, progress, finish) for which the pointer is stored in data segment. After allocation of each dialog page instance block, a part of the block is zero-initialized while other parts are simply filled with ui-object data (window/brush handles), strings and pointers to other instance data.

Unfortunately while preparing the instance data for last 'finish' dialog page, the last member of the structure [offset+0x19C] is not initialized (previous pages had some ptr from one LocalAlloc() call stored here).

Dump of the block (0x1A0 bytes):

--- snip --- $-8 004E4230 000001A0 .... ; heap block size $-4 004E4234 00455355 USE. ; heap magic $ ==> 004E4238 0041293C <)A. ; mnyinst.0041293C $+4 004E423C 00000001
... $+8 004E4240 0000006E n... $+C 004E4244 00000001
.... $+10 004E4248 00000000 .... $+14 004E424C FFFFFFFF .... $+18 004E4250 00000000 .... ... $+15C 004E4394 00000000 .... $+160 004E4398 00000000 .... $+164 004E439C 004E432C ,CN. $+168 004E43A0 00000061 a... $+16C 004E43A4 00000062 b... $+170 004E43A8 00000000 .... $+174 004E43AC 00070064 d... $+178 004E43B0 004E008A Š.N. $+17C 004E43B4 0036003D =.6. ; brush handle $+180 004E43B8 00000000 .... $+184 004E43BC 00000000 .... $+188 004E43C0 00000002 .... $+18C 004E43C4 001A05B0 .... $+190 004E43C8 00000002 .... $+194 004E43CC 001AAD20 .... $+198 004E43D0 00000000 .... $+19C 004E43D4 736F7263 cros ; leftover data from previous heap use === next block === $+1A0 004E43D8 000000A8 ¨... ; heap block size $+1A4 004E43DC 00455355 USE. ; heap magic --- snip ---

Code snippet which allocates and initializes the instance data:

--- snip --- ... 0041AAEE PUSH 1A0 0041AAF3 CALL <JMP.&MSVCR71.??2@YAPAXI@Z> ; alloc instance data 0041AAF9 MOV ECX,EAX 0041AAFB MOV DWORD PTR SS:[EBP-10],ECX 0041AAFE CMP ECX,EDI 0041AB00 MOV DWORD PTR SS:[EBP-4],EDI 0041AB03 JE SHORT mnyinst.0041AB0F 0041AB05 CALL mnyinst.0041B098 ; instance data init #1 0041AB0A MOV DWORD PTR SS:[EBP-10],EAX 0041AB0D JMP SHORT mnyinst.0041AB12 0041AB0F MOV DWORD PTR SS:[EBP-10],EDI 0041AB12 MOV ECX,DWORD PTR SS:[EBP-10] 0041AB15 OR DWORD PTR SS:[EBP-4],FFFFFFFF 0041AB19 CMP ECX,EDI 0041AB1B JE mnyinst.0041ABDF 0041AB21 PUSH DWORD PTR SS:[EBP-14] 0041AB24 CALL mnyinst.0041B6DC ; instance data init #2 (bug) 0041AB29 PUSH DWORD PTR SS:[EBP-10] ; lParam 0041AB2C MOV EAX,DWORD PTR DS:[ESI+14] 0041AB2F MOV EAX,DWORD PTR DS:[EBX+EAX] 0041AB32 MOVZX EAX,WORD PTR DS:[EAX] 0041AB35 PUSH mnyinst.0041B50F ; pDlgProc = mnyinst.0041B50F 0041AB3A PUSH DWORD PTR DS:[42BDC4] ; hOwner 0041AB40 PUSH EAX ; pTemplate 0041AB41 PUSH DWORD PTR DS:[42B58C] ; hInst = 00400000 0041AB47 CALL DWORD PTR DS:[<&USER32.CreateDialogParamA>] ... 0041ABA4 PUSH 3 ; Flags = SWP_NOSIZE|SWP_NOMOVE 0041ABA6 PUSH EDI ; Height 0041ABA7 PUSH EDI ; Width 0041ABA8 PUSH EDI ; Y 0041ABA9 PUSH EDI ; X 0041ABAA PUSH EDI ; InsertAfter 0041ABAB PUSH ESI ; hWnd 0041ABAC CALL DWORD PTR DS:[<&USER32.SetWindowPos>] 0041ABB2 MOV EAX,DWORD PTR SS:[EBP-10] 0041ABB5 MOV DWORD PTR DS:[42BDD0],ESI 0041ABBB MOV DWORD PTR DS:[42BDD4],EAX ; save instance data ptr ... --- snip ---

Upon exit the uninitialized value is passed to LocalFree(). Windows probably figures out the handle is invalid like Wine (maybe not the 'hard' way by causing a fault) hence the 'free' becomes a no-op. Since there is no harm caused by this bug there is nothing to worry about.

Resolving 'wontfix'

$ sha1sum webinst.exe 586d1bbfe2cb7fc6fa116c439aba6b2c0a80c01e webinst.exe

$ du -sh webinst.exe 21M webinst.exe

$ wine --version wine-1.7.16-1-gb772260

Regards