New subject: [Bug 52003] Stack overflow inside xml2.xmlXPathInit function.

8 Nov 2021


      https://bugs.winehq.org/show_bug.cgi?id=52003
Bug ID: 52003
           Summary: Stack overflow inside xml2.xmlXPathInit function.
           Product: Wine
           Version: 6.21
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs@winehq.org
          Reporter: besentv@gmail.com
      Distribution: ---
Created attachment 71003
  --> https://bugs.winehq.org/attachment.cgi?id=71003
Thrown exceptions.
The simulator "Zusi 3" uses .htm webpages to show information about its
available content. Some websites have a line of JavaScript that looks something
like this:
<script>var xhr = new window.ActiveXObject( "Microsoft.XMLHTTP" );</script>
which cause the program to crash using Wine.
A +seh trace, provided in the attachments, shows that the program throws a lot
of Division by Zero exceptions before dying in a stack overflow.
Further debugging ended in the result, that the crash occurs inside the
function 
"xmlXPathInit" from the xml2 library, which, without a surprise, does divide by
zero. The function call is reached from "msxml3.DllMain" through
DLL_PROCESS_ATTACH and the function "xmlInitParser".
Changing the code to something like 
*((long long*) &xmlXPathNAN) = 0x7ff8000000000000;
resolved the issue, though this undefined behavior in C.
(z.f. suggested to use unions instead.)
The only thing that really confuses me, is the big amount of thrown exceptions,
even though the program only executes the division by zero only once. Even on
assembly level. Also, why does this cause a stack overflow?
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 52003] New: Stack overflow inside xml2.xmlXPathInit function.