WineHQ
Bug Tracking Database – Bug 6833

 Bugzilla

 

Last modified: 2014-01-03 13:09:36 UTC  

AIM Pro fails to load 'apExtCmp.dll' (MSVCRT_ungetc write operation on read-only section/mapping)

First Last Prev Next    This bug is not in your last search results.
Bug 6833 - AIM Pro fails to load 'apExtCmp.dll' (MSVCRT_ungetc write operation on read-only section/mapping)
AIM Pro fails to load 'apExtCmp.dll' (MSVCRT_ungetc write operation on read-o...
Status: CLOSED FIXED
AppDB: Show Apps affected by this bug
Product: Wine
Classification: Unclassified
Component: msvcrt
0.9.25.
x86 Linux
: P2 normal
: ---
Assigned To: Mr. Bugs
http://aimpro.premiumservices.aol.com...
: download
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2006-12-05 19:57 UTC by Scott C
Modified: 2014-01-03 13:09 UTC (History)
2 users (show)

See Also:
Regression SHA1:
Fixed by SHA1: ed2d53a36aa413e00c577e11772915bc5de4161e
Distribution: ---
Staged patchset:

Attachments
Wine output when trying to run AIM Pro on Fedora Core (5.27 KB, text/plain)
2006-12-05 20:02 UTC, Scott C 		Details
Terminal output in wine 0.9.52 (12.43 KB, text/plain)
2008-01-04 15:04 UTC, Austin English 		Details
Show Obsolete (1) View All Add an attachment (back traces, logs, proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Scott C 2006-12-05 19:57:55 UTC 
AIM Pro, available at http://aimpro.premiumservices.aol.com/, seems to install
fine, but does not run, producing the backtrace attached.

Fedora Core 6
Slightly modified 2.6.18.3 kernel (modified from FC6 config file)
Wine 0.9.25 from Fedora Extras

Steps to reproduce;
1. Download and run AIM Pro installer with Wine.
2. Attempt to run AIM Pro.

Actual results;
Outputs a list of FIXMEs and a backtrace, then quits back to the command prompt.

Expected results;
The program runs.
Comment 1 Scott C 2006-12-05 20:02:10 UTC 
Created attachment 4252 [details]
Wine output when trying to run AIM Pro on Fedora Core

commandline# wine aimpro.exe
Comment 2 Austin English 2008-01-04 15:04:32 UTC 
Confirming in wine 0.9.52. We've seem to have made some progress, as it gets far enough to check to see if we have outlook, etc installed to see the contact list. After that though, bombs out in mshtml. I'll attach the output shortly.
Comment 3 Austin English 2008-01-04 15:04:58 UTC 
Created attachment 10035 [details]
Terminal output in wine 0.9.52
Comment 4 Dan Kegel 2008-01-04 15:45:38 UTC 
Since it's bombing out in mshtml, setting component to shdocvw
(gee, it'd be nice if we had more obvious categories...)
Comment 5 Austin English 2008-11-28 16:02:40 UTC 
Crashes pretty much right off the bat (after gecko is installed):
wine: Unhandled page fault on read access to 0x00000000 at address 0x40256b (thread 0030), starting debugger...

Backtrace:
=>1 0x0040256b in apsetup (+0x256b) (0x0033f8b4)
  2 0x7e51f3e6 DispCallFunc+0x256(pvInstance=0x33f978, oVft=0x0, cc=0x4, vtReturn=0x0, cActuals=0x2, prgvt=0x33f968, prgpvarg=0x33f94c, pvargResult=0x33f990) [/home/austin/wine-git/dlls/oleaut32/typelib.c:5707] in oleaut32 (0x0033f924)
  3 0x00405d34 in apsetup (+0x5d34) (0x0033f9a8)
  4 0x7da5ab32 call_sink+0x72(This=<register EDI not in topmost frame>, dispid=0x103, dispparams=0x33fa40) [/home/austin/wine-git/dlls/shdocvw/events.c:266] in shdocvw (0x0033f9e8)
  5 0x7da5a706 object_available+0x136(This=<register EDI not in topmost frame>) [/home/austin/wine-git/dlls/shdocvw/dochost.c:78] in shdocvw (0x0033fa68)
  6 0x7da6103d object_available_proc+0x1d(This=0x1407cc, task=0x156e78) [/home/austin/wine-git/dlls/shdocvw/navigate.c:277] in shdocvw (0x0033fa78)
  7 0x7da5a856 process_dochost_task+0x16(This=0x1407cc, lparam=0x156e78) [/home/austin/wine-git/dlls/shdocvw/dochost.c:43] in shdocvw (0x0033fa98)
  8 0x7da651c8 shell_embedding_proc+0xf8(hwnd=<register EDI not in topmost frame>, msg=<register ESI not in topmost frame>, wParam=0x0, lParam=0x156e78) [/home/austin/wine-git/dlls/shdocvw/oleobject.c:65] in shdocvw (0x0033fac8)
  9 0x7ea3e7ca WINPROC_wrapper+0x1a() in user32 (0x0033faf8)
  10 0x7ea3eebe call_window_proc+0x6e(hwnd=<register EDI not in topmost frame>, msg=0x700, wp=0x0, lp=0x156e78, result=0x33fba8, arg=0x7da650d0) [/home/austin/wine-git/dlls/user32/winproc.c:457] in user32 (0x0033fb38)
Comment 6 Austin English 2009-09-06 19:50:55 UTC 
Now complains it can't find one if its dll's (apExtCmp.dll), which is in its directory.
Comment 7 Austin English 2011-07-11 12:24:00 UTC 
(In reply to comment #6)
> Now complains it can't find one if its dll's (apExtCmp.dll), which is in its
> directory.

Same in 1.3.24:
austin@aw25 ~/.wine/drive_c/Program Files/AIM/AIM Pro $ wine aimpro.exe 
fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot
fixme:toolhelp:Heap32ListFirst : stub
fixme:msg:ChangeWindowMessageFilter 4a 00000001


540a8b2a74224df29d32d98eb9741c8477a58d52  aimpro.exe
Comment 8 Austin English 2013-12-15 22:53:39 UTC 
The same in wine-1.7.8-88-gfb75292.
Comment 9 Anastasius Focht 2013-12-16 13:04:52 UTC 
Hello folks,

confirming.

--- quote ---
Now complains it can't find one if its dll's (apExtCmp.dll), which is in its directory.
--- quote ---

That's because an exception occurs during dll init/entry hence the dll is forced to unload.

It seems the application (or rather a dll) plays some dirty tricks with msvcrt internal FILE structure/_iob.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/AIM/AIM Pro

$ WINEDEBUG=+tid,+seh,+relay,+msvcrt wine ./aimpro.exe >>log.txt 2>&1
...
0026:Call KERNEL32.LoadLibraryExA(0153d0fc "apExtCmp.dll",00000000,00000000) ret=015229df
0026:Ret  KERNEL32.LoadLibraryExA() retval=01150000 ret=015229df
...
0026:Call KERNEL32.LoadLibraryExA(01601000 "apExtRes.dll",00000000,00000000) ret=01528e36
0026:Ret  KERNEL32.LoadLibraryExA() retval=01660000 ret=01528e36
0026:Call KERNEL32.FindResourceA(01660000,0153d4e0 "skin.xml",00000017) ret=01528e6b
0026:Ret  KERNEL32.FindResourceA() retval=01666288 ret=01528e6b
0026:Call KERNEL32.SizeofResource(01660000,01666288) ret=01528ea1
0026:Ret  KERNEL32.SizeofResource() retval=00008c05 ret=01528ea1
0026:Call KERNEL32.LoadResource(01660000,01666288) ret=01528eab
0026:Ret  KERNEL32.LoadResource() retval=017d0f28 ret=01528eab
0026:Call KERNEL32.LockResource(017d0f28) ret=01528eb2
0026:Ret  KERNEL32.LockResource() retval=017d0f28 ret=01528eb2
0026:Call msvcrt.??2@YAPAXI@Z(000000dc) ret=01528ec6
0026:Call ntdll.RtlAllocateHeap(00110000,00000000,000000dc) ret=7e357294
0026:Ret  ntdll.RtlAllocateHeap() retval=01601028 ret=7e357294
0026:trace:msvcrt:MSVCRT_operator_new (220) returning 0x1601028
0026:Ret  msvcrt.??2@YAPAXI@Z() retval=01601028 ret=01528ec6 
...
0026:Call msvcrt.strncmp(0153d768 "font",017d0faa "font=\"Tahoma:11:b\" fontcolor=\"0x003366\">21</default>\n  </caption>\n\n  // bmp,left,top,right,bottom \n  <borderouter>\n    <default img=\"bmp:oborder.bmp:2:2:2:2:1:b\">2,2,2,2</default>\n    <archout img=\"clr:0xa8a8a8\">1,1,1,1</archout>\n  </borderouter>\n    \n  <borderinner>\n    <default im"...,00000004) ret=01522017
0026:Ret  msvcrt.strncmp() retval=00000000 ret=01522017
0026:trace:msvcrt:MSVCRT_vfscanf_l 0x7e3c13a0 ("%[^:,\"><]:%d:%[^,\"><]")
...
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7e356ff9 ip=7e356ff9 tid=0026
0026:trace:seh:raise_exception  info[0]=00000001
0026:trace:seh:raise_exception  info[1]=017d0fbb
0026:trace:seh:raise_exception  eax=017d0fbb ebx=7e3b9000 ecx=0033ee40 edx=00000022 esi=0000000a edi=7e369f59
0026:trace:seh:raise_exception  ebp=0033ee58 esp=0033ee40 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210206
0026:trace:seh:call_stack_handlers calling handler at 0x1538f24 code=c0000005 flags=0
0026:trace:seh:call_stack_handlers handler at 0x1538f24 returned 1
0026:trace:seh:call_stack_handlers calling handler at 0x1538eeb code=c0000005 flags=0
0026:trace:seh:call_stack_handlers handler at 0x1538eeb returned 1
0026:trace:seh:call_stack_handlers calling handler at 0x7bc9dcec code=c0000005 flags=0 
...
0026:trace:seh:__regs_RtlUnwind handler at 0x1538eeb returned 1
0026:exception in PE entry point (proc=0x119969b,module=0x1150000,reason=PROCESS_ATTACH,res=(nil))
0026:Ret  PE DLL (proc=0x119969b,module=0x1150000 L"apExtCmp.dll",reason=PROCESS_ATTACH,res=(nil)) retval=0
0026:Call PE DLL (proc=0x119969b,module=0x1150000 L"apExtCmp.dll",reason=PROCESS_DETACH,res=(nil))
0026:Call KERNEL32.FreeLibrary(01660000) ret=01175c3b
0026:Ret  KERNEL32.FreeLibrary() retval=00000001 ret=01175c3b 
--- snip ---

Winedbg was rather unhelpful in this case. Most of the time it gets the disas/breakpoints wrong ... hence Ollydbg to the rescue.

Stack before 'MSVCRT_fscanf' entry:

--- snip ---
0033F028   7E3C13A0  stream = msvcrt.7E3C13A0
0033F02C   0153D794  format = "%[^:,"><]:%d:%[^,"><]"
0033F030   0033F104
0033F034   0033F08C
0033F038   0033F048
0033F03C   0033F124
0033F040   0021E95C
0033F044   0021E950
0033F048   00000000
--- snip ---

Dump of MSVCRT_FILE/MSVCRT__iobuf:

--- snip ---
$+0      7E3C13A0  017D0FB0    ASCII "Tahoma:11:b" ...
$+4      7E3C13A4  7FFFFFFF
$+8      7E3C13A8  017D0FB0    ASCII "Tahoma:11:b" ...
$+C      7E3C13AC  00000041
$+10     7E3C13B0  00000000
$+14     7E3C13B4  00000000
$+18     7E3C13B8  7FFFFFFF
$+1C     7E3C13BC  00000000
--- snip ---

Definition for reference:

--- snip ---
struct MSVCRT__iobuf {
  char* _ptr;      
  int   _cnt;      // +4
  char* _base;     // +8
  int   _flag;     // +C
  int   _file;     // +10
  int   _charbuf;  // +14
  int   _bufsiz;   // +18
  char* _tmpfname; // +1C
};
--- snip ---

_base = _ptr = 0x017D0FB0 ... check all PE mappings, getting a hit:

--- snip ---
Address  Size      Section    Contains

01660000 00001000  PE header 
01661000 00001000  .text      code
01662000 00001000  .rdata     imports
01663000 00001000  .data      data
01664000 0017F000  .rsrc      resources
017E3000 00001000  .reloc     relocations
--- snip ---

The address is located in '.rsrc' section of 'apExtRes.dll' which corresponds with earlier LoadResource() in trace log.

After digging further I found the code that initializes the FILE structure/_iob array entry:

--- snip ---
01533F90     56                 PUSH ESI
01533F91     8B35 98A15301      MOV ESI,DWORD PTR DS:[<&MSVCRT._iob>]
01533F97     8BC1               MOV EAX,ECX
01533F99     57                 PUSH EDI
01533F9A     B9 08000000        MOV ECX,8
01533F9F     8BF8               MOV EDI,EAX
01533FA1     F3:A5              REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
01533FA3     8B0D 98A15301      MOV ECX,DWORD PTR DS:[<&MSVCRT._iob>]
01533FA9     5F                 POP EDI
01533FAA     5E                 POP ESI
01533FAB     C741 0C 41000000   MOV DWORD PTR DS:[ECX+C],41   ; _flag
01533FB2     8B15 98A15301      MOV EDX,DWORD PTR DS:[<&MSVCRT._iob>]
01533FB8     8B4C24 04          MOV ECX,DWORD PTR SS:[ESP+4]
01533FBC     894A 08            MOV DWORD PTR DS:[EDX+8],ECX  ; _base
01533FBF     8B15 98A15301      MOV EDX,DWORD PTR DS:[<&MSVCRT._iob>]
01533FC5     890A               MOV DWORD PTR DS:[EDX],ECX
01533FC7     8B15 98A15301      MOV EDX,DWORD PTR DS:[<&MSVCRT._iob>]
01533FCD     B9 FFFFFF7F        MOV ECX,7FFFFFFF
01533FD2     894A 04            MOV DWORD PTR DS:[EDX+4],ECX  ; _cnt
01533FD5     8B15 98A15301      MOV EDX,DWORD PTR DS:[<&MSVCRT._iob>]
01533FDB     894A 18            MOV DWORD PTR DS:[EDX+18],ECX ; _bufsiz
01533FDE     C2 0400            RETN 4
--- snip ---

MSVCRT_fscanf() gets it right with parsing and extracting the integer (including negative char filters from format string).

During run-down, it needs to put back character(s) using MSVCRT_ungetc().
This is a write operation which won't work on memory/section mapped as read-only (see fault address 'info[1]=017d0fbb' / PE mappings).

--- snip ---
int CDECL MSVCRT_ungetc(int c, MSVCRT_FILE * file)
{
    if (c == MSVCRT_EOF)
        return MSVCRT_EOF;

    MSVCRT__lock_file(file);
    if(file->_bufsiz == 0 && msvcrt_alloc_buffer(file))
        file->_ptr++;
    if(file->_ptr>file->_base) {
        file->_ptr--;
        *file->_ptr=c;
        file->_cnt++;
        MSVCRT_clearerr(file);
        MSVCRT__unlock_file(file);
        return c;
    }

    MSVCRT__unlock_file(file);
    return MSVCRT_EOF;
}
--- snip ---

$ sha1sum aimpro.exe 
540a8b2a74224df29d32d98eb9741c8477a58d52  aimpro.exe

$ du -sh aimpro.exe 
13M	aimpro.exe

$ wine --version
wine-1.7.8-220-g0bef543

Regards
Comment 10 Anastasius Focht 2013-12-30 14:33:25 UTC 
Hello folks,

this is fixed by commit http://source.winehq.org/git/wine.git/commitdiff/ed2d53a36aa413e00c577e11772915bc5de4161e

Thanks 	Piotr

NOTE: The app installs it's own Gecko engine which conflicts with the Wine provided one (running into unimplemented function nspr4.dll.PR_SetCurrentThreadName).

You have to remove some dlls from app folder to avoid that:

nspr4.dll, plc4.dll, softokn3.dll, nss3.dll ...

Regards
Comment 11 Alexandre Julliard 2014-01-03 13:09:36 UTC 
Closing bugs fixed in 1.7.10.
First Last Prev Next    This bug is not in your last search results.

Privacy Policy
If you have a privacy inquiry regarding this site, please write to [email protected]

Hosted By CodeWeavers