Hi. > It > appears that the ActiveX/OLE/COM technology in general does no buffer checks > before passing parameters to controls, leaving the checking up to the > control in question. Huh?! Buffers passed to a COM object (or ActiveX control: it's the same thing) are marshaled by the COM subsystem, and their size *has* to be specified. The object gets a buffer of that specific size, and buffer checks are done all over the place. The most common way of passing parameters in ActiveX controls is through BSTRs, which include the size of the string in their first character. There's no way to overflow a BSTR. The buffer overflows you discovered arise from a situation where the programmer extracted the buffer from the BSTR, and put it into a simple character array of the form: char[256], without bothering to check if the fixed size of the character array is large enough to hold the string. The COM architecture has nothing to do with this buffer overflow (on the contrary: it makes it very difficult for programmers to create buffer overflows. But I guess some are talented enough to bypass this difficulty ;-) ) ------------------------- Aviram Jenik "Addicted to Chaos" ------------------------- Today's quote: - Real programmers think structured programming is a communist plot.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:35 PDT