http://bugs.winehq.org/show_bug.cgi?id=34716
Bug #: 34716 Summary: HippoAnimator3: Invalid name at installation startup Product: Wine Version: 1.7.4 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: lukasz.wojnilowicz@gmail.com Classification: Unclassified
Created attachment 46286 --> http://bugs.winehq.org/attachment.cgi?id=46286 WINEDEBUG=+relay,+seh,+tid on Wine 1.7.4
Steps to reproduce: 1) remove ~/.wine 2) wine HippoAnimator3.exe
Behaviour: Error message with "Invalid name" text.
Expected behaviour: No error message.
http://bugs.winehq.org/show_bug.cgi?id=34716
NSLW lukasz.wojnilowicz@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer URL| |http://www.hippostudios.co/ | |Content/Files/Downloads/Hip | |poAnimator3.exe
http://bugs.winehq.org/show_bug.cgi?id=34716
Ricardo Vega ricardoe@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ricardoe@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=34716
--- Comment #1 from Ricardo Vega ricardoe@gmail.com 2013-11-12 15:02:28 CST --- +1, exact same bahavior using:
wine-1.4.1 Ubuntu 13.04
http://bugs.winehq.org/show_bug.cgi?id=34716
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |kernel32 Summary|HippoAnimator3: Invalid |HippoAnimator3 fails on |name at installation |startup, complains 'Invalid |startup |name' (GetTempPathW on | |poisoned stack buffer) Ever Confirmed|0 |1
--- Comment #2 from Anastasius Focht focht@gmx.net 2013-11-12 17:46:13 CST --- Hello folks,
confirming.
Prerequisite: 'winetricks -q dotnet20' (if Mono is not installed)
The installer writes a .NET app config file from its PE resource (good guy):
--- snip --- 002b:Call KERNEL32.FindResourceW(00400000,0000006f,0040c89c L"BINARY") ret=00401431 002b:Ret KERNEL32.FindResourceW() retval=004161f0 ret=00401431 002b:Call KERNEL32.LoadResource(00000000,004161f0) ret=0040143d 002b:Ret KERNEL32.LoadResource() retval=00a63440 ret=0040143d 002b:Call KERNEL32.LockResource(00a63440) ret=00401444 002b:Ret KERNEL32.LockResource() retval=00a63440 ret=00401444 002b:Call KERNEL32.SizeofResource(00000000,004161f0) ret=0040144e 002b:Ret KERNEL32.SizeofResource() retval=000000db ret=0040144e 002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401464 002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401464 002b:Call KERNEL32.CreateDirectoryW(0033f5f4 L"C:\users\focht\Temp\",00000000) ret=00401473 002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401473 002b:Call KERNEL32.CreateFileW(0033ee24 L"C:\users\focht\Temp\HippoAnimator3Update.exe.config",40000000,00000000,00000000,00000002,00000080,00000000) ret=004014e6 002b:Ret KERNEL32.CreateFileW() retval=0000003c ret=004014e6 002b:Call KERNEL32.WriteFile(0000003c,00a63440,000000db,0033ee20,00000000) ret=004014f7 002b:Ret KERNEL32.WriteFile() retval=00000001 ret=004014f7 002b:Call KERNEL32.CloseHandle(0000003c) ret=004014fe 002b:Ret KERNEL32.CloseHandle() retval=00000001 ret=004014fe --- snip ---
Next, an embedded PE binary should be written out the same way (bad guy):
--- snip --- 002b:Call KERNEL32.FindResourceW(00400000,0000006e,0040c89c L"BINARY") ret=00401312 002b:Ret KERNEL32.FindResourceW() retval=004161e0 ret=00401312 002b:Call KERNEL32.LoadResource(00000000,004161e0) ret=0040131e 002b:Ret KERNEL32.LoadResource() retval=00470820 ret=0040131e 002b:Call KERNEL32.LockResource(00470820) ret=00401325 002b:Ret KERNEL32.LockResource() retval=00470820 ret=00401325 002b:Call KERNEL32.SizeofResource(00000000,004161e0) ret=0040132f 002b:Ret KERNEL32.SizeofResource() retval=005f2c20 ret=0040132f 002b:Call KERNEL32.GetTempPathW(000003e8,0033f5f4) ret=00401345 002b:Ret KERNEL32.GetTempPathW() retval=00000014 ret=00401345 002b:Call KERNEL32.CreateDirectoryW(0033f5f4 L"C:\users\focht\Temp\",00000000) ret=00401354 002b:Ret KERNEL32.CreateDirectoryW() retval=00000000 ret=00401354 002b:Call KERNEL32.CreateFileW(0033ee24 L"C:\users\focht\Temp\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...,40000000,00000000,00000000,00000002,00000080,00000000) ret=004013c3 002b:Ret KERNEL32.CreateFileW() retval=ffffffff ret=004013c3 002b:Call KERNEL32.WriteFile(ffffffff,00470820,005f2c20,0033ee20,00000000) ret=004013d4 002b:Ret KERNEL32.WriteFile() retval=00000000 ret=004013d4 002b:Call KERNEL32.CloseHandle(ffffffff) ret=004013db 002b:Ret KERNEL32.CloseHandle() retval=00000000 ret=004013db 002b:Call shell32.ShellExecuteExW(0033edc8) ret=004012be 002b:Call ntdll.RtlAllocateHeap(00110000,00000000,000005d8) ret=7e88fca5 002b:Ret ntdll.RtlAllocateHeap() retval=0012b758 ret=7e88fca5 002b:Call shlwapi.PathFindExtensionW(0012b758 L"C:\users\focht\Temp\\f742\fbb03\95fc\f753\0002\b042\f743\fbc03\95fc\f753\95fc\f753\ba25\7bce\0002\ec01\f742\fbe03\95fc\f753\bf7d\f740\1d48\f744\4000\f758\fbb03\ffe2\7fff\ca63\f740\a8b1\7bca\0001\a81e\7bca\bf7d\f740\1d48\f744\4000\f758\fbe03\fff1\7fff\ca63\f740\a858\7bca\0001\fffa\ffff\fffa\ffff\168d"...) ret=7e88e187 002b:Ret shlwapi.PathFindExtensionW() retval=0012bd24 ret=7e88e187 --- snip ---
The buffer for GetTempPathW() is allocated on stack and not pre-initialized. After CreateDirectoryW() call, a copy loop is used to construct the final path which gets passed to CreateFileW(). Due to the way the copy loop is coded, garbage characters from stack-based buffer might get copied, resulting in malformed path.
From there everything goes downhill.
Crappy coding at its best ...
Maybe Windows zero-terminates GetTempPathW() buffer up to max buffer size or it just works by chance there (stack layout).
$ sha1sum HippoAnimator3.exe 0051b4a9c55e9c7e1c146e604068f7d730930dc7 HippoAnimator3.exe
$ du -sh HippoAnimator3.exe 7.3M HippoAnimator3.exe
$ wine --version wine-1.7.6-168-g8c94e27
Regards
http://bugs.winehq.org/show_bug.cgi?id=34716
--- Comment #3 from Anastasius Focht focht@gmx.net 2013-11-12 17:50:37 CST --- Created attachment 46504 --> http://bugs.winehq.org/attachment.cgi?id=46504 C application which mimics the buggy app behaviour
Hello folks,
I spare you the disassembly of installer and provide a small C application which mimics the buggy app behaviour.
--- snip --- compile: $ winegcc -m32 -municode -o bug34716 bug34716.c run: $ ./bug34716.exe (zero init buffer) $ ./bug34716.exe <char> (poison buffer with <char>) --- snip ---
Regards
http://bugs.winehq.org/show_bug.cgi?id=34716
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |testcase
https://bugs.winehq.org/show_bug.cgi?id=34716
Teras teras@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |teras@luukku.com
--- Comment #4 from Teras teras@luukku.com --- still the same
wine-1.7.36-125-g656bc70
https://bugs.winehq.org/show_bug.cgi?id=34716
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |f16cf541068831074a6891688d9 | |47f0ce32abdd9 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #5 from Bruno Jesus 00cpxxx@gmail.com --- Fixed by http://source.winehq.org/git/wine.git/commitdiff/f16cf541068831074a6891688d9...
https://bugs.winehq.org/show_bug.cgi?id=34716
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.38.
-
wine-bugs@winehq.org