http://bugs.winehq.org/show_bug.cgi?id=23283
Summary: Cannot print my annual income tax return in ElsterFormular (crash) Product: Wine Version: 1.2-rc3 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: johannesobermayr@gmx.de
ElsterFormular crashes when I try printing my annual income tax return:
wine-snapshot-1.2.rc3.20100618-1.1.i586 (openSUSE 11.2)
err:seh:setup_exception_record stack overflow 1228 bytes in thread 001c eip 7bc3efd8 esp 00240e64 stack 0x240000-0x241000-0x340000
You can download the app for free here: https://www.elster.de/elfo_down4.php?who=2009/2010
http://bugs.winehq.org/show_bug.cgi?id=23283
--- Comment #1 from Johannes Obermayr johannesobermayr@gmx.de 2010-06-20 10:25:56 --- When I try printing the preview I receive this crash:
wine: Unhandled exception 0xc0000409 at address 0x42f6e2 (thread 001c), starting debugger...
http://bugs.winehq.org/show_bug.cgi?id=23283
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #2 from Anastasius Focht focht@gmx.net 2010-06-20 15:26:34 --- Hello,
Wine bug unearthed by an "ElsterFormular" application bug ;-)
Prerequisites: vcrun6 and some (free) pdf reader application to use "print preview" (app internally exports/generates .pdf).
--- quote --- wine: Unhandled exception 0xc0000409 at address 0x42f6e2 (thread 001c), starting debugger... --- quote ---
This exception is caused by the app's internal runtime detecting a stack corruption (it uses stack security cookies). Basically after calling shell32.FindExecutableW() the stack got corrupted. For the interested how stack cookies work: http://msdn.microsoft.com/en-us/library/aa290051.aspx
Annotated app callstack before entering shell32.FindExecutableW():
HINSTANCE WINAPI FindExecutableW(LPCWSTR lpFile, LPCWSTR lpDirectory, LPWSTR lpResult)
--- snip app stack --- 003396BC 041CA512 lpFile = "C:\users\focht\Application Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf" 003396C0 00000000 lpDirectory = NULL 003396C4 0033970C lpResult = 0033970C ... ; lpResult buffer starts here 0033970C 00000000 ... ; stack security cookie 0033980C 5A6E2810 ; points to next SEH record 00339810 00339868 ; structured exception handler 00339814 00444702 00339818 00000007 ; return to caller 0033981C 004167C0 ... --- snip app stack ---
dlls/shell32/shlexec.c:FindExecutableW -> SHELL_FindExecutable()
SHELL_FindExecutableByOperation() is used to determine the executable to be launched with certain registered filetype (.pdf extension registered):
--- snip dlls/shell32/shlexec.c --- static UINT SHELL_FindExecutable(LPCWSTR lpPath, LPCWSTR lpFile, LPCWSTR lpOperation, LPWSTR lpResult, int resultLen, LPWSTR key, WCHAR **env, LPITEMIDLIST pidl, LPCWSTR args) {
... if (*filetype) { /* pass the operation string to SHELL_FindExecutableByOperation() */ retval = SHELL_FindExecutableByOperation(lpOperation, key, filetype, command, sizeof(command));
if (retval > 32) { DWORD finishedLen; SHELL_ArgifyW(lpResult, resultLen, command, xlpFile, pidl, args, &finishedLen); if (finishedLen > resultLen) ERR("Argify buffer not large enough.. truncated\n"); ... --- snip dlls/shell32/shlexec.c ---
Resulting in -> ""C:\Program Files\Tracker Software\PDF Viewer\PDFXCview.exe" "%1"" (the pdf viewer I installed for this purpose). Replacing "%1" -> "C:\users\focht\Application Data\elsterformular\pica\tmp\100620205722_ElsterPrintPreview.pdf"
What happens is that the output buffer (lpResult) of FindExecutableW() caller will actually contain two strings in argv-style: executable and file name up to MAX_PATH. This is wrong - the app buffer should never get the %1 (filename) parameter (even if it's "invisible" due to null terminator in between) - it only requested executable name - an unfortunate side effect of Wine's code sharing at this place.
I already mentioned this Wine bug was unearthed by an application bug. As you can see in annotated stack snippet, the application didn't bother to provide what Microsoft suggests for lpResult: MAX_PATH length (http://msdn.microsoft.com/en-us/library/bb776419.aspx). Even if Wine fixes the problem by only copying executable path - if the pdf executable path is long enough, it will most likely also corrupt the stack on Windows.
Someone should tell these guys how to write "secure" software: https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/738-BSI.html
But what can you expect from people that use german identifiers all over the place for their classes, functions, variables and the like .. that's pure coding horror (never heard of industry standards?). Run the app with WINEDEBUG=+debugstr and see what I mean ...
Regards
http://bugs.winehq.org/show_bug.cgi?id=23283
--- Comment #3 from Johannes Obermayr johannesobermayr@gmx.de 2010-06-20 16:28:42 --- I mailed to hotline@elsterformular.de. I also mentioned that they should provide PDF export. Let's see whether and what they reply ...
http://bugs.winehq.org/show_bug.cgi?id=23283
--- Comment #4 from Anastasius Focht focht@gmx.net 2010-06-20 17:34:41 --- Hello,
--- wuote --- I mailed to hotline@elsterformular.de. I also mentioned that they should provide PDF export. Let's see whether and what they reply ... --- wuote ---
Well, good luck with that ... for your pleasure here is a thread from their helpdesk forum: "Umsatzsteuervoranmeldung - Ausdruck nicht möglich":
https://www.elster.de/anwenderforum/archive/index.php/t-22773.html
Pretty pretty sarcastic tone there (I'm native german too, so I can comprehend their pain) :|
Funnily, even Microsoft made hotfixes for their bug ridden software (not for this specific problem): http://support.microsoft.com/kb/935448 :-) I hope these guys never work on mission-critical software projects... more harm than good.
Regards
http://bugs.winehq.org/show_bug.cgi?id=23283
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, printing
http://bugs.winehq.org/show_bug.cgi?id=23283
--- Comment #5 from Johannes Obermayr johannesobermayr@gmx.de 2010-06-28 07:58:44 --- "[...] wir müssen Ihnen leider mitteilen, dass wir Ihnen bei Ihrem Anliegen nicht weiter helfen können.
ElsterFormular wird bisher nicht unter Linux unterstützt. Auch bieten wir keine Unterstützung für WINE.
Wir bedauern Ihnen keine positive Antwort geben zu können." (hotline@elster.de)
So what now? I assume I have to file a motion for a linux client (which they deny, free of charge), then contradict (free of charge) and finally file a suit (costs?).
Basis should be: Elster-Gutachten, Dr. Till Jaeger, Munich, 2005-03-14
And I hope there are many followers ...
http://bugs.winehq.org/show_bug.cgi?id=23283
--- Comment #6 from Anastasius Focht focht@gmx.net 2010-06-28 09:24:26 --- Hello,
--- quote --- So what now? I assume I have to file a motion for a linux client (which they deny, free of charge), then contradict (free of charge) and finally file a suit (costs?).
Basis should be: Elster-Gutachten, Dr. Till Jaeger, Munich, 2005-03-14
And I hope there are many followers ... --- quote ---
would anyone expect any different answer? While "Elster" platform itself seems to be cross-platform, that specific "ElsterFormular" app/project has simply grown too large to do a native port/rewrite. There exist alternatives, see: https://www.elster.de/elster_faq.php?faqid=d03#d03 and https://www.elster.de/elster_linmac.php (for disambiguation between ELSTER and ElsterFormular)
If Wine gets fixed at the shell32 SHELL_FindExecutable() part there is a good chance to get printing functionality for "ElsterFormular" to work.
For the bug in the "ElsterFormular" software itself we can put a note/hint/workaround in appdb, describing the path limits to external pdf applications to prevent app buffer overflow (fix would be to install pdf app in short path or use symlink/junction). This would also apply to users of the software running on native Windows, reporting same printing problems ;-)
Regards
http://bugs.winehq.org/show_bug.cgi?id=23283
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://www.elster.de/elfo_ | |down4.php?who=2009/2010 Component|-unknown |shell32 Summary|Cannot print my annual |Cannot print my annual |income tax return in |income tax return in |ElsterFormular (crash) |ElsterFormular (crash) | |(shell32.SHELL_FindExecutab | |le corrupts stack)
--- Comment #7 from Anastasius Focht focht@gmx.net 2010-08-18 04:40:23 --- Hello,
setting component 'shell32', download and summary fields.
Regards
http://bugs.winehq.org/show_bug.cgi?id=23283
Joerg Schiermeier mywine@schiermeier-software.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mywine@schiermeier-software | |.de
--- Comment #8 from Joerg Schiermeier mywine@schiermeier-software.de 2012-01-12 18:57:49 CST --- Is this still an issue?
My Elster is flying around without crashes. I use this version: http://appdb.winehq.org/objectManager.php?sClass=version&iId=22570
wine v1.3.36
http://bugs.winehq.org/show_bug.cgi?id=23283
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |ABANDONED
--- Comment #9 from Anastasius Focht focht@gmx.net 2012-01-13 14:03:21 CST --- Hello,
--- quote --- Is this still an issue?
My Elster is flying around without crashes. I use this version: http://appdb.winehq.org/objectManager.php?sClass=version&iId=22570
wine v1.3.36 --- quote ---
Well, obviously not - the app code was partially rewritten. It seems the stack based buffer is now MAX_PATH length, no security cookie.
The app uses the "A" version of FindExecutable() now which supplies a MAX_PATH sized buffer on its own for A<->W conversion hence FindExecutableW() doesn't pass the app buffer down directly to SHELL_FindExecutable() and SHELL_ArgifyW() to operate on.
Because an internal buffer with MAX_PATH is used, '"<executable_path>" "%1"' replacing "%1" with real path works because truncation happens on closing double quote (executable name), first space or MAX_PATH.
Though if an app still supplies buffer<MAX_PATH (ignoring what MSDN says) and calls FindExecutableW() directly it will overflow with overly long paths.
"ElsterFormular 2008/2009" Download:
https://download.elster.de/download/2008/ElsterFormular-10.4.0.0.exe
The binaries are compiled in 2011.
$ sha1sum ElsterFormular-10.4.0.0.exe b85f6341860396a334eea48a171c5a3aa921bf3a ElsterFormular-10.4.0.0.exe
$ wine --version wine-1.3.36-310-gaba9ddc
("wine ./Elfo2008.exe peterx3" to skip loader)
Because this can't be reproduced anymore (broken app unavailable) I'll mark this one abandoned until another app shows up.
Nothing was fixed on Wine side.
Regards
http://bugs.winehq.org/show_bug.cgi?id=23283
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #10 from Austin English austinenglish@gmail.com 2012-01-23 23:55:17 CST --- Closing.
https://bugs.winehq.org/show_bug.cgi?id=23283
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nerv@dawncrow.de
--- Comment #11 from André H. nerv@dawncrow.de --- related bug https://bugs.winehq.org/show_bug.cgi?id=29979 (most likely a dup?) was fixed by https://source.winehq.org/git/wine.git/commitdiff/1010372778978a30fb7f9d36d5...
-
wine-bugs@winehq.org