Date: Mon, 9 Feb 1998 17:49:45 -0800 From: Scott To: BUGTRAQ@netspace.org Subject: Another Windows98 Bug... I'm not sure about the details of this problem, but when testing another buffer overflow, I created a long filename called "testfile.txt                                                                                                                                                                                                " (note the chr(160)'s at the end) It is 235 characters in length.  After creating it on my desktop, I right clicked on it; explorer crashed saying it caused an illegal operation.  the only way I found to close this was by using command.com  I sent this to a friend and he got the same error.           -Scott Campbell (smc@visuallink.com) ------------------------------------------------------------------------------------- Date: Fri, 12 Feb 1999 17:37:57 -0800 From: Scott To: BUGTRAQ@netspace.org Subject: Another Windows98 Bug (Cont'd) The easiest way to get rid of one of these files with an 'extra long' filename, is to drag it to the recycle bin (that seemed to work fine for me) All I did to create the long filename is right click on the desktop filename, go to 'rename', and copy and paste chr(160) many times until nothing would paste anymore. (note: this DOES work with other alpha-numeric characters. This must just be bad error checking by Microsoft I used Start->Find, and located the long file, I clicked once on it to select it, and Find crashed, but Explorer didn't seem to crash (or give me any errors) Also, I renamed an executable file to give it the same size long filename, leaving the last 3 characters as '.exe'. Explorer didn't crash when I clicked on it, the program ran fine, and menu didn't come up when I right clicked on it. Shortcuts do not seem to be affected by it, but I did try another file type with an association (.jpg), and it ran the program associated with it, but wouldn't let me right click on it. -Scott ------------------------------------------------------------------------------------- Date: Sat, 13 Feb 1999 03:13:18 +0000 From: Nick Lamb To: BUGTRAQ@netspace.org Subject: Re: Another Windows98 Bug... On Fri, 12 Feb 1999, Jensen Allan AJE wrote: > It seems to be an Explorer-only bug, as no other application I've tried went > down. Every application that uses the Win95-style common file dialog will crash if you try to right-click on the over-length filename. In addition, I tried the following apps and as well as confirming the right-click problem I attempted to open the file... Word 7.0 seemed to ignore my attempt to open the file PowerPoint 7.0 seemed to ignore my attempt to open the file Excel 7.0 crashed with a standard crash dialog Paint Shop Pro 4.12 exited immediately without any messages Photoshop 4.0 politely said "File Not Found" The lab test machine claims to be NT 4.00.1381, which may or may not be important for this bug nest. Nick. ------------------------------------------------------------------------------------- Date: Sat, 13 Feb 1999 15:51:34 -0500 From: Eric Stevens To: BUGTRAQ@netspace.org Subject: Re: Another Windows98 Bug... [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] I've researched this a bit. The real issue here seems to be that Windows (all versions including, but not limited to Win 95, 98, NT4.0 [sp3 & sp4]) apparently only accept file names up to 218 characters in length. The maximum number of characters you can enter in the little rename file box is 214 bytes. Any file name greater than 218 bytes including extension and dot is truncated with out attention paid to the extension in the truncation process. Example: aaaa.....aaa.txt of length 219 would become aaaa......aaa.tx . The Windows standard Save File dialog (Common Dialog control: comctl32.ocx) control alllows the entry of filenames up to apparently 259 bytes, which will promptly be truncated to that 217 byte limit. This truncation is done by the comctl32.ocx control, not the program trying to save the file. The program happily accepts the filename truncated by comctl32.ocx. If this program attempts to append an extension on this filename, you may very well have a real issue. Character 160 has no bearing on this whatsoever. At 252 characters, applications receive errors when trying to save files (tested by an application I wrote myself for this purpose). code: 1 For b = 1 To 300 2 a = Left(Trim(Str(b + 4)) + String(b, "a"), b) + ".txt" 3 Open "c:\test\" + a For Output As #1 4 Close 5 Next line 2 declares the filename to be the value of b plus 4 (for the ".txt" on the end) plus the appropriate number of "a" 's on the end. This piece of code does not truncate the file name in any way, just returns a file not found error. All the files whose length are greater than 217 crash on right click or pushing the delete button. The only way apparently to get rid of these guys very easily is to just drag them to the recycle bin. Since all the lengths I've reported above don't jive with each other, I suppose the moral of this story is "When deciding how large to make your buffer, tell everyone who's working on developing your OS so they all make it the same." If Microsoft had agreed amongst each other how long to make the file name, this wouldn't be an issue. -----Original Message----- >From: Nick Lamb To: BUGTRAQ@netspace.org Date: Saturday, February 13, 1999 3:04 PM Subject: Re: Another Windows98 Bug... >On Fri, 12 Feb 1999, Jensen Allan AJE wrote: > >> It seems to be an Explorer-only bug, as no other application I've tried went >> down. > >Every application that uses the Win95-style common file dialog will crash >if you try to right-click on the over-length filename. > >In addition, I tried the following apps and as well as confirming the >right-click problem I attempted to open the file... > >Word 7.0 seemed to ignore my attempt to open the file >PowerPoint 7.0 seemed to ignore my attempt to open the file >Excel 7.0 crashed with a standard crash dialog >Paint Shop Pro 4.12 exited immediately without any messages >Photoshop 4.0 politely said "File Not Found" > >The lab test machine claims to be NT 4.00.1381, which may or may not be >important for this bug nest. > >Nick. >