http://bugs.winehq.org/show_bug.cgi?id=34021
Bug #: 34021 Summary: IE8 crashes badly when navigating to www.microsoft.com Product: Wine Version: 1.6-rc4 Platform: x86-64 URL: http://download.microsoft.com/download/C/C/0/CC0BD555- 33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe OS/Version: Linux Status: NEW Keywords: download Severity: minor Priority: P2 Component: wininet AssignedTo: wine-bugs@winehq.org ReportedBy: kennybobs@o2.co.uk Classification: Unclassified
Created attachment 45209 --> http://bugs.winehq.org/attachment.cgi?id=45209 wine-1.6-rc4-122-g104adb7 console output (caught by redirects)
Working around Bug 25648, "wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe www.microsoft.com" crashes out badly. See logs.
However, workaround is supplied wininet (and urlmon - unimplemented function).
http://bugs.winehq.org/show_bug.cgi?id=34021
--- Comment #1 from Ken Sharp kennybobs@o2.co.uk 2013-07-12 14:57:32 CDT --- Created attachment 45210 --> http://bugs.winehq.org/attachment.cgi?id=45210 wine-1.6-rc4-122-g104adb7 trace (not caught by redirects)
*** stack smashing detected ***: /home/test/.wine/drive_c/Program Files/Internet Explorer/iexplore.exe terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xf744f0e5] /lib/i386-linux-gnu/libc.so.6(+0x10409a)[0xf744f09a] /home/test/chrootprecisei386/usr/local/bin/../lib/wine/wininet.dll.so(+0x501a4)[0x7e21d1a4] /home/test/chrootprecisei386/usr/local/bin/../lib/wine/wininet.dll.so(+0x4aff6)[0x7e217ff6] [0x67414141]
http://bugs.winehq.org/show_bug.cgi?id=34021
--- Comment #2 from Austin English austinenglish@gmail.com 2013-10-16 03:05:22 CDT --- Works fine here with winetricks ie8 and wine-1.7.4. Please retest.
https://bugs.winehq.org/show_bug.cgi?id=34021
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
You don't even need IE8 install for that, just visit 'www.microsoft.com' with builtin.
Looks like a classic buffer overflow to me (overly long jscript URI):
--- snip --- $ wine ~/.wine/drive_c/Program\ Files/Internet\ Explorer/iexplore.exe www.microsoft.com ... 004a:trace:wininet:urlcache_encode_url L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... ... 004a:trace:wininet:InternetCrackUrlW (L"http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."... 0 0 0x53cc434) ... 004a:trace:wininet:InternetCrackUrlA "http://ots.optimize.webtrends.com/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAA..."...: scheme((null)) host((null)) path("/ots/ots/js-3.2/311121/WT3AAAAgA1FsrAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAA"...) extra((null)) 004a:Call ntdll.RtlFreeHeap(00110000,00000000,068c2e40) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:Call ntdll.RtlFreeHeap(00110000,00000000,00000000) ret=7e301ff0 004a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e301ff0 004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf749afc6 ip=f749afc6 tid=004a 004a:trace:seh:raise_exception info[0]=00000000 004a:trace:seh:raise_exception info[1]=754f6d64 004a:trace:seh:raise_exception eax=00000000 ebx=f77b9000 ecx=00000024 edx=754f6d64 esi=f77ac3b5 edi=754f6d64 004a:trace:seh:raise_exception ebp=053cbf58 esp=053cbf24 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210283 --- snip ---
--- snip --- ... =>0 0x7e31732c urlcache_entry_create+0x1dd(url=*** invalid address 0x754f6d64 ***, ext=*** invalid address 0x4e644a77 ***, full_path=*** invalid address 0x41414167 ***) [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet (0x0186c4c8) 0x7e31732c urlcache_entry_create+0x1dd [/home/focht/projects/wine/wine.repo/src/dlls/wininet/urlcache.c:2661] in wininet: movb $0x0,0xfffffe88(%ebp,%eax,1) 2661 file_name[e-p] = 0; ... Wine-dbg>info locals
0x7e31732c urlcache_entry_create+0x1dd: (0186c4c8) char* url=*** invalid address 0x754f6d64 *** (parameter [EBP+8]) char* ext=*** invalid address 0x4e644a77 *** (parameter [EBP+12]) WCHAR* full_path=*** invalid address 0x41414167 *** (parameter [EBP+16]) cache_container* container=0x67414141 (local [EBP-116]) urlcache_header* header=0x41414141 (local [EBP-64]) char --none--[260] file_name="??..." (local [EBP-376]) WCHAR --none--[260] extW={ ... } BYTE cache_dir='K' (local [EBP-9]) LONG full_path_len=0x7e332000 (local [EBP-900]) BOOL generate_name=0x6e4a3163 (local [EBP-16]) DWORD error=0x59534249 (local [EBP-60]) HANDLE file=0x67414141 (local [EBP-84]) FILETIME ft={dwLowDateTime=0x7ffdf000, dwHighDateTime=0x3a} (local [EBP-908]) URL_COMPONENTSA uc={dwStructSize=0x3c, lpszScheme=0x0(nil), dwSchemeLength=0, nScheme=INTERNET_SCHEME_HTTP, lpszHostName=0x0(nil), dwHostNameLength=0, nPort=0x50, lpszUserName=0x0(nil), dwUserNameLength=0, lpszPassword=0x0(nil), dwPasswordLength=0, lpszUrlPath="/ots/ots/js-3.2/311121/WT34_YlVgAAAIAAAACAAAAAgOISFTcAAACAAAAAgAAAAIDNv11EAAAAgNLJFlkF63euiS_AthR5uVKFQm-fFgTu5AueLOGvXlYLyeSxDQAAAIAAAACAAAAAgAAAAIDeW0M4AAAAgAAAAIAAAACA_pgXxkRkzp4AAACAAAAAgIpJMYkAAACAjj1LuAAAAIAAAACACs8HQPweatMWz1B7qxCj8QAAAICaCbmgAAAAgPXnDHYXLVxiZ1CdBKeYyi0AAACAAAAAgAAAAIAAAACAAAAAgIhIhm4AAACAAAAAgLesOJP0xZK8AAAAgAAAAIBSYgEufY02RClpEpguMDgyAAAAgAAAAIAAAACAFi9Yvc1Jn5bfKYotAAAAgAAAAIDMzdmOuwJdNgAAAIAAAACAAAAAgGt4p68AAACAAAAAgAAAAIAGEuJOAAAAgDT88Qph1iZjAAAAgAAAAIAAAACAwekvMllRApWPMkafAAAAgGlpFwoAAACA2ae0vOA6CMwAAACAAAAAgAAAAIA5Crrj9yQOlAAAAIChdS83Hun-FLZreKpYzh1WAAAAgAAAAIAAAACAAAAAgKNnaMAAAACAAAAAgAAAAIAAAACAAAAAgK6wit6ZbT5YADjM7PZ9HAwAAACAAAAAgAAAAIDSLxBzAAAAgAAAAIAAAACAAAAAgCFr9bLnZZhrsoW9flhoZJOTBp2opVM2jAAAAIAAAACAiib0WXNnZtxbyXH-AAAAgAAAAIAAAACAAAAAgAAAAIB8HVjhAAAAgAAAAIDS7S44JiGQeQAAAICertkUAAAAgAAAAICaHYGrAAAAgAAAAIAAAACALgPnYAAAAIBtVpJNAAAAgJmBep8AAACAAAAAgAQ6EPMAAACAAAAAgAAAAIAAAACAAAAAgAAAAIDGDv_8AAAAgAAAAIAAAACA4mBgxyJZXp7vAmZI2x8Gf65I8BVu9zQkAAAAgAAAAIAAAACAEiqh5pN_e_gAAACAzAlu5", dwUrlPathLength=0x666, lpszExtraInfo=0x0(nil), dwExtraInfoLength=0} (local [EBP-968]) int i=0x76593969 (local [EBP-20]) char* p=*** invalid address 0x46414341 *** (local [EBP-24]) char* e=*** invalid address 0x41414149 *** (local [EBP-28]) --- snip --
$ wine --version wine-1.7.13-100-gfcae016
Regards
https://bugs.winehq.org/show_bug.cgi?id=34021
Simon swdevelop1981@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |swdevelop1981@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=34021
Dmitry mr_wire@mail.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mr_wire@mail.ru
--- Comment #4 from Dmitry mr_wire@mail.ru --- Works fine both in builtin IE and in IE8 downloaded using winetricks. Using wine-1.7.25 at Mac OS X.
https://bugs.winehq.org/show_bug.cgi?id=34021
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #45209|0 |1 is obsolete| | Attachment #45210|0 |1 is obsolete| |
--- Comment #5 from Ken Sharp imwellcushtymelike@gmail.com --- Created attachment 51684 --> https://bugs.winehq.org/attachment.cgi?id=51684 Wine 1.7.44 console output
*** stack smashing detected ***: iexplore terminated
Still present in Wine 1.7.44, though the backtrace is different.
https://bugs.winehq.org/show_bug.cgi?id=34021
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sebastian@fds-team.de
https://bugs.winehq.org/show_bug.cgi?id=34021
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man@post.com
--- Comment #6 from super_man@post.com --- wine iexplore.exe www.microsoft.com (builtin ie). No crash. But the address seem to forward into some locale specific site. Also the site could have changed meanwhile.
wine 1.9.9
https://bugs.winehq.org/show_bug.cgi?id=34021
Jacek Caban jacek@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jacek@codeweavers.com Fixed by SHA1| |1a738a556cf231a713c25b1d13d | |ecb202c77db90 Resolution|--- |FIXED
--- Comment #7 from Jacek Caban jacek@codeweavers.com --- Long URLs are fixed in wininet for a long time. For comment 3 it was probably 1a738a556cf231a713c25b1d13decb202c77db90.
https://bugs.winehq.org/show_bug.cgi?id=34021
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.10.
-
wine-bugs@winehq.org