https://bugs.winehq.org/show_bug.cgi?id=37882
Bug ID: 37882 Summary: user32.GetKeyboardLayoutNameA/W can't handle NULL out parameter, causing crash in custom application Product: Wine Version: 1.7.34 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: user32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as the summary says.
A user in #winehq asked about this and I looked into it.
Kind of non-standard use case but since Wine strives to be compatible with as many Windows apps as possible this should work too.
Relevant part of trace log:
--- snip --- ... 003d:Starting process L"Z:\home\focht\Downloads\44217C15F30538A1FBDF614C9785C9B7.exe" (entryproc=0x437927) 003d:Call user32.GetKeyboardLayoutNameW(00000000) ret=00437377 003d:Call PE DLL (proc=0x7dd53e78,module=0x7dcf0000 L"winex11.drv",reason=PROCESS_ATTACH,res=(nil)) 003d:Ret PE DLL (proc=0x7dd53e78,module=0x7dcf0000 L"winex11.drv",reason=PROCESS_ATTACH,res=(nil)) retval=1 003d:Call winex11.drv.wine_get_gdi_driver(0000002e) ret=7eb3c4d4 003d:Ret winex11.drv.wine_get_gdi_driver() retval=7dd7ace0 ret=7eb3c4d4 003d:Call winex11.drv.CreateDesktopWindow(00010020) ret=7ec6200a 003d:Ret winex11.drv.CreateDesktopWindow() retval=00000001 ret=7ec6200a 003d:Call winex11.drv.wine_get_gdi_driver(0000002e) ret=7eb3c4d4 003d:Ret winex11.drv.wine_get_gdi_driver() retval=7dd7ace0 ret=7eb3c4d4 003d:Call winex11.drv.GetKeyboardLayoutName(00000000) ret=7ec61cc6 003d:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf75bdf80 ip=f75bdf80 tid=003d 003d:trace:seh:raise_exception info[0]=00000001 003d:trace:seh:raise_exception info[1]=00000000 003d:trace:seh:raise_exception eax=00000000 ebx=f7755000 ecx=00000000 edx=00000030 esi=0033f9b4 edi=0033f984 003d:trace:seh:raise_exception ebp=0033f908 esp=0033f660 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210293 003d:trace:seh:call_stack_handlers calling handler at 0x7bc9ed1b code=c0000005 ... Backtrace: =>0 0xf75bdf80 vsnprintfW+0x546(str=*** invalid address 0x2 ***, len=0x7fffffff, format="%08x", valist="Ó¸×}HÜÎ{") [/home/focht/projects/wine/wine.repo/src/libs/wine/string.c:485] in libwine.so.1 (0x0033f908) 1 0xf75be096 sprintfW+0x38(str=0x0(nil), format="%08x") [/home/focht/projects/wine/wine.repo/src/libs/wine/string.c:525] in libwine.so.1 (0x0033f938) 2 0x7dd1b261 X11DRV_GetKeyboardLayoutName+0x57(name=0x0(nil)) [/home/focht/projects/wine/wine.repo/src/dlls/winex11.drv/keyboard.c:1590] in winex11 (0x0033f978) 3 0x7bc6e63e relay_call+0x39() in ntdll (0x0033f998) 4 0x7dcfa6ad frame_dummy+0xcc() in winex11 (0x0033f9c8) 5 0x7ec61cc6 loaderdrv_GetKeyboardLayoutName+0x18(name=0x0(nil)) [/home/focht/projects/wine/wine.repo/src/dlls/user32/driver.c:618] in user32 (0x0033f9c8) 6 0x7ec77b70 GetKeyboardLayoutNameW+0x25(pwszKLID=0x0(nil)) [/home/focht/projects/wine/wine.repo/src/dlls/user32/input.c:969] in user32 (0x0033f9e8) 7 0x7bc6e63e relay_call+0x39() in ntdll (0x0033fa00) 8 0x7ec33b05 in user32 (+0x3b04) (0x0033fa64) 9 0x00437377 in 44217c15f30538a1fbdf614c9785c9b7Z:\home\focht\Downloads\44217C15F30538A1FBDF614C9785C9B7.exe (+0x37376) (0x0033fa64) ... --- snip ---
MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/ms646298%28v=vs.85%2...
With 'FALSE' being returned, the application checks the last error code for 0x3e6 ('ERROR_NOACCESS') and bails if not matching.
With that part fixed, the app runs much farther (doesn't fully work yet, but that could be subject to additional bugs).
$ sha1sum 44217C15F30538A1FBDF614C9785C9B7.exe 64f4d39d57b33e58a3937a23e37889583dce47dc 44217C15F30538A1FBDF614C9785C9B7.exe
$ du -sh 44217C15F30538A1FBDF614C9785C9B7.exe 388K 44217C15F30538A1FBDF614C9785C9B7.exe
$ wine --version wine-1.7.34
Regards
https://bugs.winehq.org/show_bug.cgi?id=37882
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|wine-bugs@winehq.org |bunglehead@gmail.com
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com --- I'll write some tests, thanks for the report.
https://bugs.winehq.org/show_bug.cgi?id=37882
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|user32.GetKeyboardLayoutNam |user32.GetKeyboardLayoutNam |eA/W can't handle NULL out |eW can't handle NULL out |parameter, causing crash in |parameter, causing crash in |custom application |custom application
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello Nikolay,
thanks, I've seen your patch here: https://source.winehq.org/patches/data/108555
Changing summary because I mistakenly assumed NULL out parameter is also handled gracefully on the ANSI version. Apparently not.
Regards
https://bugs.winehq.org/show_bug.cgi?id=37882
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |151694a0bce3160387f6d8c54eb | |aa2b726dbd4c4 Status|NEW |RESOLVED Resolution|--- |FIXED Assignee|bunglehead@gmail.com |wine-bugs@winehq.org
--- Comment #3 from Nikolay Sivov bunglehead@gmail.com --- Fixed with 151694a0bce3160387f6d8c54ebaa2b726dbd4c4.
https://bugs.winehq.org/show_bug.cgi?id=37882
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.35.
https://bugs.winehq.org/show_bug.cgi?id=37882
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20190123235439/https://www | |.grc.com/malware/CryptoLock | |er_02-10-2014.zip Keywords| |download, obfuscation
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link via Internet Archive for Documentation.
https://web.archive.org/web/20190123235439/https://www.grc.com/malware/Crypt...
https://www.virustotal.com/gui/file/725f2d25f00164d83419a548d174cf7eb6359931...
$ sha1sum CryptoLocker_02-10-2014.zip 1f2a795cdb69c71acb3330d04ab09d7273f575b3 CryptoLocker_02-10-2014.zip
$ du -sh CryptoLocker_02-10-2014.zip 308K CryptoLocker_02-10-2014.zip
--- snip --- $ 7z l CryptoLocker_02-10-2014.zip
Listing archive: CryptoLocker_02-10-2014.zip
-- Path = CryptoLocker_02-10-2014.zip Type = zip Physical Size = 313930 Comment = THiS SAMPLE WAS DOWNLOADED FROM KERNELMODE.iNFO ARCHiVE PASSWORD: infected
Û ÜÛ ÜÛÛÛ ÛÛÛ ÛÜ Û ÜÛÛÛ Û ÛÜ ÜÛ ÜÛÛÛÜ ÛÛÛ ÜÛÛÛ Û Û Û ÛÛÛÛ ÜÛÛÛÜ ÛÜÛ Û Û Û ÛßÛ Û Û Û ÛßÛ ÛßÛ Û Û Û Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛ ÛÛÛß Û Û Û ÛÛÛÛ Û Û ßÜß Û Û Û Û Û ÛÛÛÛ Û Û Û Û ÛÛÛÛ Û Û ÛßÛ Û ÛßÜ Û ÛÜÛ Û Û Û ß Û Û Û Û Ûß Û ÜÜ Û Û ÛÛ Û Û Û Û ßÛ ßÛÛÛ Û ßÛ Û ßÛ ßÛÛÛ ÛÛÛ Û Û ßÛÛÛß ÛÛÛß ßÛÛÛ ÛÛ Û Û Û Û ßÛÛÛß MD5: 44217c15f30538a1fbdf614c9785c9b7 Xylitol ADDiTiONAL NOTE: Cryptolocker
Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2014-02-10 15:03:33 ....A 395776 311983 44217C15F30538A1FBDF614C9785C9B7.exe ------------------- ----- ------------ ------------ ------------------------ 2014-02-10 15:03:33 395776 311983 1 files --- snip ---
https://www.virustotal.com/gui/file/62f199dedfffef4eb71c33bdf22f4a9b3276f8a8...
Regards