CComVariant::ReadFromStream() returns Access Denied for stream >1MB

Symptoms

You have developed an application that uses CComVariant::ReadFromStream() to read data from a stream and it returns an Access Denied Error message for stream size > 1 MB.

Cause

Reviewing atlcomcli.h we find that the size has been set here:

#ifndef _ATL_STREAM_MAX_SIZE

#define _ATL_STREAM_MAX_SIZE  0x100000

#endif

and if the size of the stream increases the MAX length it should throw an Access Denied error.

else if (cbStrLen > _ATL_STREAM_MAX_SIZE)

{

          ATLTRACE(atlTraceCOM, 0, _T("String exceeded the maximum allowed size see _ATL_STREAM_MAX_SIZE."));

          hr = E_ACCESSDENIED;

}

Resolution

If you have valid scenario where you are streaming data as BSTR that is larger than the predefined size you can change it. However, if you are using any untrusted code this workaround should not be employed.

One approach would be to override CCOmVariant::ReadFromStream().

Another way is to change _ATL_STREAM_MAX_SIZE itself.

More Information

We are reading from a stream and the stream can be from untrusted source. The MAX value is there to catch any issues with streams that have been manipulated to try the code to allocate huge amount of memory causing DOS attacks.

Inside the Active Template Library (ATL) Security Update

Active Template Library Security Update for Developers

Microsoft Internal Support Information

Steps to reproduce.

Product Bug Number:
Author ID (email alias): prabhatt
Writer ID(email alias): prabhatt
Tech Review ID (email alias): robdil
Confirm Article has been Tech Reviewed: Yes
Confirm Article released for Publishing: Yes
Properties

Article ID: 2831480 - Last Review: Apr 17, 2013 - Revision: 1

Feedback