CComVariant::ReadFromStream() returns Access Denied for stream >1MB
#define _ATL_STREAM_MAX_SIZE 0x100000
and if the size of the stream increases the MAX length it should throw an Access Denied error.
else if (cbStrLen > _ATL_STREAM_MAX_SIZE)
ATLTRACE(atlTraceCOM, 0, _T("String exceeded the maximum allowed size see _ATL_STREAM_MAX_SIZE."));
hr = E_ACCESSDENIED;
If you have valid scenario where you are streaming data as BSTR that is larger than the predefined size you can change it. However, if you are using any untrusted code this workaround should not be employed.
One approach would be to override CCOmVariant::ReadFromStream().
Another way is to change _ATL_STREAM_MAX_SIZE itself.
We are reading from a stream and the stream can be from untrusted source. The MAX value is there to catch any issues with streams that have been manipulated to try the code to allocate huge amount of memory causing DOS attacks.
Article ID: 2831480 - Last Review: 04/17/2013 13:03:00 - Revision: 3.0