#501 System.dll corrupts the stack with 0 arguments functions

2.0 Series
Amir Szekely
Plugin (101)
Amir Szekely

When a function with no arguments is called, it
incorrectly calculates the number of arguments to push.
Instead of pushing no arguments, it pushes one. When a
stdcall function is called, like every Windows API
function, it's its responsibility to clear the stack.
When that extra argument is pushed and not cleared by
the function, because it shouldn't, the stack gets
corrupted. This causes CallProc, the function that
actually calls the requested function in System.dll, to
incorrectly restore the registers from the stack,
including edi. In the installer code that calls the
plug-in, edi is used to keep the handle to the loaded
plug-in. Because of the corruption, the code calls
FreeLibrary on the wrong handle and fails to unload
System.dll. Because System.dll is still in use, it
cannot be deleted and remains in the temporary folder.

More at:



  • Amir Szekely
    Amir Szekely

    • status: open --> closed-fixed