How to host an IContextMenu, part 6 - Displaying menu help

re: How to host an IContextMenu, part 6 - Displaying menu help

Maxime LABELLE — Tue, 28 Sep 2004 15:36:00 GMT

Raymond,

Your series is absolutely fabulous and very informative. Your writing skills make it look like all you're describing is easy, as in fact we know it's not that simple.

The thing is, this article is probably the first one that practically illustrates what can be thought of as your trademark ; namely the use of helper functions to circumvent bugs in other products.

Very informative, indeed.
Cheers.

re: How to host an IContextMenu, part 6 - Displaying menu help

Jerry Pisk — Tue, 28 Sep 2004 16:06:00 GMT

I'm just wondering - if you go to such lengths supporting third party applications that ignore the API rules, how do you expect your developers to actually follow them? It's like teaching kids - if you keep excusing every time they screw up they won't learn anything.

re: How to host an IContextMenu, part 6 - Displaying menu help

Raymond Chen — Tue, 28 Sep 2004 16:10:00 GMT

Would you rather have a buffer overflow inside Explorer that an attacker can exploit?

re: How to host an IContextMenu, part 6 - Displaying menu help

mschaef — Tue, 28 Sep 2004 16:19:00 GMT

"The shell has lots of strange functions like this. "

This may sound odd, but is there a way to turn off all of the application compatibility special case code during development? I'd rather not inadvertantly be depending on something that was put in for backwards compatibility.

re: How to host an IContextMenu, part 6 - Displaying menu help

Tony Cox [MS] — Tue, 28 Sep 2004 17:18:00 GMT

You can use the AppVerifier (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/appvrfr.mspx) to help you identify some problems.

re: How to host an IContextMenu, part 6 - Displaying menu help

Jerry Pisk — Tue, 28 Sep 2004 17:51:00 GMT

I still have a buffer overflow in Explorer that an attacker can exploit, all he/she needs to is overflow by more than one character. By implementing this "fix" you've just hidden the problem from all developers, including those that would fix their code if they knew it wasn't working.

re: How to host an IContextMenu, part 6 - Displaying menu help

Michael — Tue, 28 Sep 2004 17:48:00 GMT

Jerry - Raymond is implying that there are a lot of legacy context menu handlers that overflow by one character. If an attacker can get explorer to load his context menu handler, he is not going to try to overrun the buffer. He has code running on the box, and your machine is suddenly sending spam and your documents are being uploaded to an FTP server in the other hemisphere.

re: How to host an IContextMenu, part 6 - Displaying menu help

Andy — Tue, 28 Sep 2004 21:20:00 GMT

I've been "playing along at home", and modifying the scratch program with the code that you post each day. I think there might be a problem with today's code, though - where is g_pcm defined? I assume that's defined similar to how g_pcm2 and g_pcm3 were defined yesterday, and modified OnContextMenu() to use the global instead of the local. That seems to work - is that what you intended?

re: How to host an IContextMenu, part 6 - Displaying menu help

James — Tue, 28 Sep 2004 22:45:00 GMT

Using security as the example was a bad idea, but separately it seems to me that there are only three options:
1) Pass in an exact-length buffer and never do otherwise... after all, programmers should write bug-free software! Break ImportantBusinessApp v0.9 in the next upgrade.
2) Pass in an exact-length buffer and then test and fix it in the next release, when suddenly it matters due to other changes in the caller.
3) Pass in a larger buffer to start with. Sometimes, life's a bore.

I guess there's also option four: pass in a larger buffer to start with, attempt to check for the mistake, and do something obvious to coax the programmer into fixing his code. I'm not sure how well this works when the shell is acting as a client to a COM component, and control has left the COM component before the problem can be detected.

re: How to host an IContextMenu, part 6 - Displaying menu help

tom — Tue, 28 Sep 2004 23:10:00 GMT

Raymond, did you mean to compare the pszAnsi using L?

re: How to host an IContextMenu, part 6 - Displaying menu help

Ben Hutchings — Wed, 29 Sep 2004 10:49:00 GMT

SQL Server has a bunch of bugs in its ODBC driver where it interprets a length that the ODBC documentation says is a number of bytes as a number of characters. This doesn't work very well when you call the Unicode versions of the affected functions - it results in spectacular buffer overflows. So instead of allocating a double-length buffer in Unicode builds I have to allocate a quadruple-length buffer and say it's only double-length. I can pass on the details if it'll help.

Also MLang's Conversion class has some small buffer overflow bugs.

I can pass details to anyone at Microsoft who can actually do something about these rather than telling me the workarounds I already figured out.

Shell Extensibility in Longhorn

notgartner.com: Mitch Denny's Blog — Wed, 13 Oct 2004 16:29:00 GMT

IContextMenu のホスト方法 - Shell

社本＠ワック Blog — Wed, 22 Mar 2006 20:33:25 GMT

IContextMenu のホスト方法 - Shell

The forgotten common controls: The MenuHelp function

The Old New Thing — Thu, 08 Jun 2006 17:00:24 GMT

It doesn't really help much.