http://bugs.winehq.org/show_bug.cgi?id=30329
Bug #: 30329 Summary: Total Commander 8.0 64-bits beta installer crashes due to pointer truncation (image base address > 4 GiB) Product: Wine Version: 1.5.1 Platform: x86-64 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified
Hello,
the extracted installer "INSTALL.EXE" (64 bits PE binary) can be run alone from "wc0" temp folder. The installer tries to fill a list box with language strings.
--- snip --- 0026:Starting process L"Z:\home\focht\Downloads\wc0\INSTALL.EXE" (entryproc=0x14000cca0) ... 0026:Call KERNEL32.GetPrivateProfileStringA(140019788 "languages",0022dc90 "18",140019786 "",0022dcf0,00000103,1400226c0 "Z:\home\focht\Downloads\wc0\INSTALL.inf") ret=140001c0d 0026:Ret KERNEL32.GetPrivateProfileStringA() retval=00000013 ret=140001c0d 0026:Call KERNEL32.GetLastError() ret=14000e5c0 0026:Ret KERNEL32.GetLastError() retval=00000000 ret=14000e5c0 0026:Call KERNEL32.GetLastError() ret=14000e5c0 0026:Ret KERNEL32.GetLastError() retval=00000000 ret=14000e5c0 0026:Call user32.SendDlgItemMessageA(0001007e,00000064,00000180,00000000,0022dcf0) ret=140001cd1 0026:Call window proc 0x7f45d4b788ef (hwnd=0x10086,msg=LB_ADDSTRING,wp=00000000,lp=0022dcf0) 0026:Ret window proc 0x7f45d4b788ef (hwnd=0x10086,msg=LB_ADDSTRING,wp=00000000,lp=0022dcf0) retval=00000011 0026:Ret user32.SendDlgItemMessageA() retval=00000011 ret=140001cd1 0026:Call user32.GetDlgItem(0001007e,00000004) ret=140001cfb 0026:Ret user32.GetDlgItem() retval=0001008a ret=140001cfb 0026:Call user32.ShowWindow(0001008a,00000000) ret=140001d06 0026:Call window proc 0x7f45d4b78593 (hwnd=0x1008a,msg=WM_SHOWWINDOW,wp=00000000,lp=00000000) 0026:Ret window proc 0x7f45d4b78593 (hwnd=0x1008a,msg=WM_SHOWWINDOW,wp=00000000,lp=00000000) retval=00000000 0026:Ret user32.ShowWindow() retval=00000001 ret=140001d06 0026:Call user32.SendDlgItemMessageA(0001007e,00000064,00000181,00000012,40019670) ret=140001d30 0026:Call window proc 0x7f45d4b788ef (hwnd=0x10086,msg=LB_INSERTSTRING,wp=00000012,lp=40019670) 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b8633f9 ip=7b8633f9 tid=0026 0026:trace:seh:raise_exception info[0]=0000000000000000 0026:trace:seh:raise_exception info[1]=0000000040019670 0026:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000026 rcx=ffffffffffffffff rdx=0000000040019670 0026:trace:seh:raise_exception rsi=0000000000000181 rdi=0000000040019670 rbp=000000000022d2d0 rsp=000000000022d1a0 0026:trace:seh:raise_exception r8=0000000040019670 r9=00000000ffffffff r10=0000000000000008 r11=000000399ab7c680 0026:trace:seh:raise_exception r12=000000000001f0ac r13=00000001400226c0 r14=0000000000000000 r15=00000001400226c0 --- snip ---
The reason for the crash is a 32 bit pointer truncation -> application bug. Most likely the original code was Win32 and had been ported to Win64 with some casts still in there.
(annotated)
--- snip --- .text:0000000140001D0D movsxd rax, cs:dword_14001F030 .text:0000000140001D14 movsxd r9, r11d ; wParam .text:0000000140001D17 mov edx, 64h ; nIDDlgItem .text:0000000140001D1C mov r8d, 181h ; Msg, LB_INSERTSTRING .text:0000000140001D22 mov rcx, rdi ; hDlg .text:0000000140001D25 mov [rsp+20h], rax .text:0000000140001D2A call cs:SendDlgItemMessageA --- snip ---
The data reference (I only decoded the 32 bits part to show the 32 bit access):
--- snip --- .data:000000014001F030 dword_14001F030 dd 40019670h .data:000000014001F034 db 1 .data:000000014001F035 db 0 .data:000000014001F036 db 0 .data:000000014001F037 db 0 --- snip ---
Page fault address: 0000000040019670
If referenced as 64 bits -> 0x140019670 it would be correct:
--- snip --- .rdata:0000000140019670 db 4Fh ; O .rdata:0000000140019671 db 74h ; t .rdata:0000000140019672 db 68h ; h .rdata:0000000140019673 db 65h ; e .rdata:0000000140019674 db 72h ; r .rdata:0000000140019675 db 20h ... --- snip ---
Using "dumpbin" tool from Visual Studio/Express/SDK on executable gives:
--- snip --- Dump of file INSTALL.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES 8664 machine (x64) 5 number of sections 4EE124C5 time date stamp Thu Dec 08 21:57:41 2011 0 file pointer to symbol table 0 number of symbols F0 size of optional header 23 characteristics Relocations stripped Executable Application can handle large (>2GB) addresses
OPTIONAL HEADER VALUES 20B magic # (PE32+) 8.00 linker version 17800 size of code D800 size of initialized data 0 size of uninitialized data CCA0 entry point (000000014000CCA0) 1000 base of code 140000000 image base (0000000140000000 to 0000000140028FFF) 1000 section alignment 200 file alignment 4.00 operating system version 0.00 image version 5.02 subsystem version 0 Win32 version 29000 size of image 400 size of headers 303B3 checksum 2 subsystem (Windows GUI) 8000 DLL characteristics Terminal Server Aware 100000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory 1D7D8 [ 64] RVA [size] of Import Directory 26000 [ 23F8] RVA [size] of Resource Directory 24000 [ 10F8] RVA [size] of Exception Directory 22400 [ 1780] RVA [size] of Certificates Directory 0 [ 0] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 0 [ 0] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 19000 [ 5E8] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 0 [ 0] RVA [size] of Reserved Directory --- snip ---
Section headers:
--- snip --- SECTION HEADER #1 .text name 176BE virtual size 1000 virtual address (0000000140001000 to 00000001400186BD) 17800 size of raw data 400 file pointer to raw data (00000400 to 00017BFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60000020 flags Code Execute Read
SECTION HEADER #2 .rdata name 5B1C virtual size 19000 virtual address (0000000140019000 to 000000014001EB1B) 5C00 size of raw data 17C00 file pointer to raw data (00017C00 to 0001D7FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data Read Only
Section contains the following imports:
KERNEL32.dll 1400190D8 Import Address Table 14001D918 Import Name Table 0 time date stamp 0 Index of first forwarder reference ... SECTION HEADER #3 .data name 4478 virtual size 1F000 virtual address (000000014001F000 to 0000000140023477) 1600 size of raw data 1D800 file pointer to raw data (0001D800 to 0001EDFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0000040 flags Initialized Data Read Write ... SECTION HEADER #4 .pdata name 10F8 virtual size 24000 virtual address (0000000140024000 to 00000001400250F7) 1200 size of raw data 1EE00 file pointer to raw data (0001EE00 to 0001FFFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data Read Only ... SECTION HEADER #5 .rsrc name 23F8 virtual size 26000 virtual address (0000000140026000 to 00000001400283F7) 2400 size of raw data 20000 file pointer to raw data (00020000 to 000223FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data Read Only --- snip ---
The image load base of 0x0000000140000000 (>4 GiB address space) is probably to catch such 32 vs. 64 bits porting errors. When pointers are stored as 32 bits they would truncate hence triggering page fault as seen here.
I've looked into the Total Commander forum (http://www.ghisler.ch/board/index.php?language=english) but didn't find any bug reports about installer crashing on Win64 so I assume this installer somehow runs despite the bug.
Would be nice if someone with Win64 could verify this. Maybe the loader does something different on Win64?
Even if the bug is invalid it's probably good to have one bug to collect such misbehaving apps. I suspect there are more apps out there.
Regards
http://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer, win64 URL| |http://www.ghisler.com/800_ | |b24.php
--- Comment #1 from Anastasius Focht focht@gmx.net 2012-04-01 11:02:28 CDT --- Hello,
filling fields
$ du -sh tc80x64beta24.exe 4.2M tc80x64beta24.exe
$ sha1sum tc80x64beta24.exe 7f87d123eb604415ec924b14b024a7c4285c0c4e tc80x64beta24.exe
Regards
http://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.ghisler.com/800_ |http://fileforum.betanews.c |b24.php |om/detail/Total-Commander_6 | |4bit/945901171/3 Summary|Total Commander 8.0 64-bits |Total Commander 8.0 64-bit |beta installer crashes due |installer crashes due to |to pointer truncation |pointer truncation (image |(image base address > 4 |base address > 4 GiB) |GiB) |
--- Comment #2 from Anastasius Focht focht@gmx.net 2012-05-27 14:49:53 CDT --- Hello,
adjusting summary as this is still present with final version of Total Commander 8.0 64-bit. The "combined" 32/64-bit versions installer (http://fileforum.betanews.com/detail/Total-Commander-32bit64bit/945901171/1) is also affected by this.
A workaround is to create a 32-bit WINEPREFIX using WINEARCH=win32 prior running the combined installer. The 64-bit binaries will be put into same program/install folder. After installation backup the install folder (default: "totalcmd") and create a new 64-bit WINEPREFIX. Move the backup folder to new prefix. Now you can run Total Commander 8.0 64-bit in this prefix.
$ du -sh tcm80x64.exe 4.2M tcm80x64.exe
$ sha1sum tcm80x64.exe 7686c6d4c952726f7a9de7350debeb44ce1c2eb8 tcm80x64.exe
$ wine --version wine-1.5.5
Regards
http://bugs.winehq.org/show_bug.cgi?id=30329
Karl Heilen karl.heilen@freenet.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |karl.heilen@freenet.de
--- Comment #3 from Karl Heilen karl.heilen@freenet.de 2012-07-16 18:07:24 CDT --- Hello, Anastasius,
the developer of Total Commander, Christian Ghisler, is aware of the fact that the T.C. 8 64-bit installer cannot be executed successfully on Wine 64-bit. Please, cf. this Total Commander thread: [url=http://ghisler.ch/board/viewtopic.php?p=252389#252389%5DWine makes TC x32_x64 installer abort on Ubuntu 12.04x64[/url]. Telling from the error message we saw we concluded the bug should be inside Wine, in particular because the 64-bit installer runs perfectly on Windows 64-bit. Anyway, maybe you are right and the source of trouble is inside the 64-bit T.C. installer. Therefore I posted about your bug report in the T.C. forum. Maybe Christian Ghisler will take the time to re-investigate the problem.
Cheers, Karl
http://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |user32
--- Comment #4 from Anastasius Focht focht@gmx.net 2012-07-21 13:01:23 CDT --- Hello,
Windows does lots of stuff under the hood to work around bad behaving/buggy apps, silently eating invalid pointers accesses and the like.
You can easily verify the problem by looking at languages selection listbox content that is presented after installer start.
The first entry shown is "English". The last entry is "Romanian". The last one should actually be "Other (can be found on www.ghisler.com)" (the string referenced is eaten silently due to pointer truncation).
If "Other (can be found on www.ghisler.com)" entry is missing in 64-bit installer then Windows has catched the invalid pointer access silently. The 32-bit installer correctly displays the last entry "Other (can be found on www.ghisler.com)".
You can "fix" this buggy installer by adding structured exception handler (SEH) to:
http://source.winehq.org/git/wine.git/blob/0f90053575c26407efd1b0775fcceb7ab...
But this kind of change should be avoided if possible. Wine is already cluttered with SEH in some places to work around buggy apps.
I suggest to read some 64-bit porting guides and fix the installer itself.
http://software.intel.com/en-us/blogs/2011/07/07/all-about-64-bit-programmin... (All about 64-bit programming in one place, excellent guide)
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384214%28v=vs.85%2... (Programming Guide for 64-bit Windows > Migration Tips)
http://msdn.microsoft.com/en-us/magazine/cc300794.aspx (x64 Primer: Everything You Need To Know To Start Programming 64-Bit Windows Systems)
http://www.osronline.com/ddkx/kmarch/other_66cn.htm (Porting Issues Checklist)
Regards
http://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |31276
http://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX Summary|Total Commander 8.0 64-bit |Total Commander 8.0 64-bit |installer crashes due to |installer crashes due to |pointer truncation (image |LB_INSERTSTRING pointer |base address > 4 GiB) |truncation (image base | |address > 4 GiB)
--- Comment #5 from Anastasius Focht focht@gmx.net 2012-07-23 15:22:08 CDT --- Hello,
it seems the author of "Total Commander" fixed the string pointer truncation for LB_INSERTSTRING in 64-bit installer.
See: http://ghisler.ch/board/viewtopic.php?p=252389#252846
http://ghisler.fileburst.com/beta/install64.zip
The archive contains a single INSTALL.EXE for testing (overwrite the original one 8.0.0.0 with 8.0.1.0). The last entry in listbox, "Other (can be found on www.ghisler.com)" is finally shown.
With bug 31276 fixed as of today, "Total Commander" 64-bit installer now successfully finishes without any hacks/overrides.
Marking this bug "WONTFIX" because Wine should only work around using SEH if many apps are affected. Technically some kind of "application upstream".
Regards
http://bugs.winehq.org/show_bug.cgi?id=30329
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Austin English austinenglish@gmail.com 2012-07-24 16:34:53 CDT --- Closing.
https://bugs.winehq.org/show_bug.cgi?id=30329
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://fileforum.betanews.c |https://web.archive.org/web |om/detail/Total-Commander_6 |/20210210084652/https://mad |4bit/945901171/3 |senworld.dk/tcmd/finals/tcm | |80x64.exe