StrongDC++

UserCommand Crash in DC++

Bug #706670 reported by iceman50
40
This bug affects 1 person
Affects Status Importance Assigned to Milestone
DC++
Fix Released
High
Unassigned
StrongDC++
New
Undecided
Unassigned

Bug Description

DC++ crashes on usercommands supplied by flexhub ...tried gdb but prints out nothing but a never ending loop so here is msvc debug

> msvcr100d.dll!_expandtime(localeinfo_struct * plocinfo, char specifier, const tm * timeptr, char * * string, unsigned int * left, __lc_time_data * lc_time, unsigned int alternate_form) Line 798 + 0x24 bytes C++
  msvcr100d.dll!_Strftime_l(char * string, unsigned int maxsize, const char * format, const tm * timeptr, void * lc_time_arg, localeinfo_struct * plocinfo) Line 380 + 0x29 bytes C++
  msvcr100d.dll!strftime(char * string, unsigned int maxsize, const char * format, const tm * timeptr) Line 268 + 0x19 bytes C++
  DCPlusPlus.exe!dcpp::Util::formatTime(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & msg, const __int64 t) Line 817 + 0x25 bytes C++
  DCPlusPlus.exe!dcpp::Util::formatParams(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & msg, const std::tr1::unordered_map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::hash<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::equal_to<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > & params, bool filter) Line 801 + 0x19 bytes C++
  DCPlusPlus.exe!dcpp::AdcHub::sendUserCmd(const dcpp::UserCommand & command, const std::tr1::unordered_map<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::hash<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::equal_to<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > & params) Line 701 + 0x18 bytes C++
  DCPlusPlus.exe!HubFrame::runUserCommand(const dcpp::UserCommand & uc) Line 1232 C++
  DCPlusPlus.exe!std::tr1::_Pmf_caller2<void,HubFrame>::_Call_pmf<void (__thiscall HubFrame::*)(dcpp::UserCommand const &),HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > >(const void * __formal, void (const dcpp::UserCommand &)* _Pm, HubFrame * & _Fx0, std::tr1::reference_wrapper<dcpp::UserCommand const > & _Fx1) Line 43 C++
  DCPlusPlus.exe!std::tr1::_Pmf_caller2<void,HubFrame>::_Apply_pmf<void (__thiscall HubFrame::*)(dcpp::UserCommand const &),HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > >(void (const dcpp::UserCommand &)* _Pm, HubFrame * & _Fx0, std::tr1::reference_wrapper<dcpp::UserCommand const > & _Fx1) Line 52 + 0x2b bytes C++
  DCPlusPlus.exe!std::tr1::_Callable_pmf<void (__thiscall HubFrame::*const)(dcpp::UserCommand const &),HubFrame,0>::_ApplyX<void,HubFrame * &,std::tr1::reference_wrapper<dcpp::UserCommand const > &>(HubFrame * & _Ax0, std::tr1::reference_wrapper<dcpp::UserCommand const > & _Ax1) Line 9 + 0x1c bytes C++
  DCPlusPlus.exe!std::tr1::_Bind2<std::tr1::_Callable_pmf<void (__thiscall HubFrame::*const)(dcpp::UserCommand const &),HubFrame,0>,HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > >::_ApplyX<void,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &,std::tr1::_Nil &>(std::tr1::_Nil & _Bx0, std::tr1::_Nil & _Bx1, std::tr1::_Nil & _Bx2, std::tr1::_Nil & _Bx3, std::tr1::_Nil & _Bx4, std::tr1::_Nil & _Bx5, std::tr1::_Nil & _Bx6, std::tr1::_Nil & _Bx7, std::tr1::_Nil & _Bx8, std::tr1::_Nil & _Bx9) Line 293 C++
  DCPlusPlus.exe!std::tr1::_Bind_base<void,std::tr1::_Bind2<std::tr1::_Callable_pmf<void (__thiscall HubFrame::*const)(dcpp::UserCommand const &),HubFrame,0>,HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > > >::operator()() Line 32 C++
  DCPlusPlus.exe!std::tr1::_Callable_obj<std::tr1::_Bind<void,void,std::tr1::_Bind2<std::tr1::_Callable_pmf<void (__thiscall HubFrame::*const)(dcpp::UserCommand const &),HubFrame,0>,HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > > >,0>::_ApplyX<void>() Line 14 C++
  DCPlusPlus.exe!std::tr1::_Impl_no_alloc0<std::tr1::_Callable_obj<std::tr1::_Bind<void,void,std::tr1::_Bind2<std::tr1::_Callable_pmf<void (__thiscall HubFrame::*const)(dcpp::UserCommand const &),HubFrame,0>,HubFrame *,std::tr1::reference_wrapper<dcpp::UserCommand const > > >,0>,void>::_Do_call() Line 66 C++
  DCPlusPlus.exe!std::tr1::_Function_impl0<void>::operator()() Line 155 C++
  DCPlusPlus.exe!dwt::checkCall(HWND__ * handle, const std::tr1::function<void __cdecl(void)> & f) Line 132 C++
  DCPlusPlus.exe!dwt::`anonymous namespace'::<lambda0>::operator()() Line 136 + 0x19 bytes C++
  DCPlusPlus.exe!std::tr1::_Callable_obj<dwt::`anonymous namespace'::<lambda0>,0>::_ApplyX<void>() Line 14 C++
  DCPlusPlus.exe!std::tr1::_Impl_no_alloc0<std::tr1::_Callable_obj<dwt::`anonymous namespace'::<lambda0>,0>,void>::_Do_call() Line 66 C++
  DCPlusPlus.exe!std::tr1::_Function_impl0<void>::operator()() Line 155 C++
  DCPlusPlus.exe!dwt::Application::dispatchAsync() Line 260 C++
  DCPlusPlus.exe!dwt::Application::dispatch() Line 190 + 0xb bytes C++
  DCPlusPlus.exe!dwt::Application::run() Line 158 + 0x8 bytes C++
  DCPlusPlus.exe!SmartWinMain(dwt::Application & app) Line 156 + 0x8 bytes C++
  DCPlusPlus.exe!WinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, char * lpCmdLine, int nCmdShow) Line 285 + 0xb bytes C++
  DCPlusPlus.exe!__tmainCRTStartup() Line 547 + 0x2c bytes C
  DCPlusPlus.exe!WinMainCRTStartup() Line 371 C
  kernel32.dll!@BaseThreadInitThunk@12() + 0x12 bytes
  ntdll.dll!___RtlUserThreadStart@8() + 0x27 bytes
  ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes

Revision history for this message
Toast (swetoast-deactivatedaccount) wrote :

Marked to private upon request from iceman50 until someone has some time too peak at it since there is suspicion that it could be used for exploiting

visibility: public → private
Revision history for this message
poy (poy) wrote :

this looks like a dupe of bug 678236; does it also crash with MinGW builds?

Revision history for this message
eMTee (realprogger) wrote :

Yes, it does, the crash looks like because parameters are passed to strftime without any check in Util::formatTime and as per http://msdn.microsoft.com/en-us/library/ksazx244.aspx the default behavior of the C Runtime when an invalid parameter is found is to crash the program.

Possible solution is in http://msdn.microsoft.com/en-us/library/a9yf33zb.aspx or maybe a check for parameter validity before calling strftime...

Changed in dcplusplus:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
eMTee (realprogger) wrote :

There's a working solution in ApexDC++ source available at http://sourceforge.net/projects/apexdc/files/ApexDC%2B%2B/1.3.9/ApexDC%2B%2B_1.3.9_source.7z/download that may fixes other related problems as well...

Revision history for this message
Big Muscle (bigmuscle) wrote :

I guess it is just this fix from StrongDC++ - http://strongdc.svn.sf.net/viewvc/strongdc/trunk/client/Util.cpp?r1=499&r2=551
It had been in DC++ too but it was removed.

Revision history for this message
eMTee (realprogger) wrote :

No. Apex's solution its a check for parameter validity and maybe more (not checked throughly) and as long as its reported that the latest StrongDC++ is crashing as well, it seems that defining an empty handler function does not solve the problem. (or this code part is skipped compiling with recent version of MSVC? #if (_MSC_VER == 1400 || _MSC_VER == 1500) It should be 1600 for MSVC 2010, no?)

Revision history for this message
eMTee (realprogger) wrote :

Ok the code that takes care of parameters check can be found in ApexDC++ is indeed from DC++ and was removed at http://bazaar.launchpad.net/~dcplusplus-team/dcplusplus/trunk/revision/2132
And bm's right the invalidParameterHandler function was also once in DC++ and removed even earlier claiming that its not needed for MinGW: http://bazaar.launchpad.net/~dcplusplus-team/dcplusplus/trunk/revision/1294

Revision history for this message
Big Muscle (bigmuscle) wrote :

It's not skipped in VS2010, because release version uses "#if (_MSC_VER >= 1400)". However, there was similar problem with invalid timestamp format in previous version and it has been fixed by this invalid parameter handler. But it's true that it still raises assertion hit in debug build.

Revision history for this message
poy (poy) wrote :

unfortunately, _set_invalid_parameter_handler is only available in versions of the CRT that MSVC builds link to (msvcr100.dll for ex), but it is not exported by msvcrt.dll, which is the legacy C runtime DLL that MinGW builds link to.

can be verified by dumping the exports of these DLLs, using eg "objdump -x x.dll" (from a MinGW environment) or "dumpbin /EXPORTS x.dll" (from a VS env).

Revision history for this message
poy (poy) wrote :

added a simple errno check.

Changed in dcplusplus:
status: Confirmed → Fix Committed
Revision history for this message
poy (poy) wrote :

Fixed in DC++ 0.782.

Changed in dcplusplus:
status: Fix Committed → Fix Released
poy (poy)
visibility: private → public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.