I'm debugging a file parser(Win32). Every time its crashing at same position when I'm feeding a certain file to it. I don't have access to that source code of that application. I tried to analyze the root cause of the crash, it seems its kind of array out of bound read error. But I'm not sure about it whether any memory is getting corrupted inside it. I've used ADPlus for crash dump , and below I've added the mini dump and adplus log.
https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp
&
https://dl.dropboxusercontent.com/u/107519001/ADPlus_log_0e04_2013-10-25_20-26-18-707.log
Debugging Information:
https://dl.dropboxusercontent.com/u/107519001/vc90.pdb
Can anybody please assist me to get into the root cause of the access violation crash.
Thanks in Advance,
FileParser reads binary data from inline1.exe and expects to see valid offsets and structure layout but instead access violation occur. The binary has no valid headers layout ets. Maybe the binary is compressed or encrypted.
Manual stack reconstruction:
0:000> kn =0012f674 0012f674 004071f1
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f674 73dd1eb6 FileParser+0x71f1
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306
14 0012feec 73dd125a user32!DispatchMessageA+0xf
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a
18 0012ffc0 7c816d4f FileParser+0x9472
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23
Unassemble from File Parser+0x71f1 until File Parser+0x7212 there is access violation occure.
004071ec e8e71b0000 call FileParser+0x8dd8 (00408dd8)
004071f1 84db test bl,bl
004071f3 0f846f050000 je FileParser+0x7768 (00407768)
004071f9 8b442414 mov eax,dword ptr [esp+14h] *Base address of inline1.exe binary
004071fd 8b483c mov ecx,dword ptr [eax+3Ch] *must be offset at _IMAGE_NT_HEADERS
00407200 8b5c0178 mov ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY
00407204 8d4c0118 lea ecx,[ecx+eax+18h] *must be _IMAGE_OPTIONAL_HEADER
00407208 03d8 add ebx,eax *must be VA _IMAGE_DATA_DIRECTORY
0040720a 8d4c2418 lea ecx,[esp+18h] *
0040720e 895c2434 mov dword ptr [esp+34h],ebx *
00407212 8b530c mov edx,dword ptr [ebx+0Ch] *Access violation here
Access violation occure because ebx point to 3fb80000 instead of inside binary file from b80000 until ImageSize: 00006000
Base address inline1.exe loads in eax register. mov eax,dword ptr [esp+14h]
0:000> dps esp+14 L1
0012f510 00b80000 inline1
0:000> lmvm inline1
start end module name
00b80000 00b86000 inline1 T (no symbols)
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp: Sat Sep 28 21:27:18 2013 (52471176)
CheckSum: 00011C84
ImageSize: 00006000
File version: 0.0.0.0
Product version: 0.0.0.0
File flags: 0 (Mask 0)
File OS: 0 Unknown Base
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4