Re: ActiveX Buffer Overruns

[aviram () JENIK COM (Aviram Jenik)]

Hi.

> It
> appears that the ActiveX/OLE/COM technology in general does no buffer
checks
> before passing parameters to controls, leaving the checking up to the
> control in question.

Huh?!

Buffers passed to a COM object (or ActiveX control: it's the same thing) are
marshaled by the COM subsystem, and their size *has* to be specified. The
object gets a buffer of that specific size, and buffer checks are done all
over the place.
The most common way of passing parameters in ActiveX controls is through
BSTRs, which include the size of the string in their first character.
There's no way to overflow a BSTR. The buffer overflows you discovered arise
from a situation where the programmer extracted the buffer from the BSTR,
and put it into a simple character array of the form: char[256], without
bothering to check if the fixed size of the character array is large enough
to hold the string. The COM architecture has nothing to do with this buffer
overflow (on the contrary: it makes it very difficult for programmers to
create buffer overflows. But I guess some are talented enough to bypass this
difficulty ;-)  )

-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

- Real programmers think structured programming is a communist
  plot.