{"id":24683,"date":"2007-10-26T10:00:00","date_gmt":"2007-10-26T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/10\/26\/if-you-pass-enough-random-numbers-eventually-one-of-them-will-look-valid\/"},"modified":"2007-10-26T10:00:00","modified_gmt":"2007-10-26T10:00:00","slug":"if-you-pass-enough-random-numbers-eventually-one-of-them-will-look-valid","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20071026-00\/?p=24683","title":{"rendered":"If you pass enough random numbers, eventually one of them will look valid"},"content":{"rendered":"

\nOne customer traced a problem they were having to the way they\nwere calling a function similar in spirit to this one:\n<\/p>\n

\nHGLOBAL CopyClipboardData(UINT cf)\n{\n HGLOBAL hglob = NULL;\n HANDLE h = GetClipboardData(cf);\n if (h) {\n  void *p = GlobalLock(h);\n  if (p) {\n   SIZE_T size = GlobalSize(h);\n   hglob = GlobalAlloc(GMEM_FIXED, size);\n   if (hglob) {\n    CopyMemory(hglob, p, size);\n   }\n   GlobalUnlock(h);\n  }\n }\n return hglob;\n}\n<\/pre>\n
\nThis function takes a clipboard format and\nlooks for it on the clipboard.\nIf found, it returns a copy of the data.\n<\/p>\n
\nLooks great, huh?\n<\/p>\n
\nThe problem is that the customer would sometimes call the function as\nCopyClipboardData(CF_BITMAP)<\/code>.\nThe CF_BITMAP<\/code> clipboard format stores its contents in\nthe form of a HBITMAP<\/code>,\nnot an HGLOBAL<\/code>.\n<\/p>\n
\nThe question from the customer:\n<\/p>\n
\nThis code was written in 2002, and we are wondering why it works\n“most” of the time and crashes sporadically.\nWe expected that the call to GlobalLock<\/code> would fail\nwith an invalid parameter error, but sometimes it succeeds,\nand then when we call\nGlobalSize<\/code> we crash.\nWhy does it crash sometimes?\n<\/p><\/blockquote>\n
\nYou already know the answer to this.\n\nGlobalAlloc<\/code> works closely with\nGlobalLock<\/code> so that GlobalLock<\/code> can be fast<\/a>.\nThe bitmap handle returned by GetClipboardData<\/code>\nusually fails the quick tests performed by GlobalLock<\/code>\nto see whether the parameter is a fixed memory block,\nin which case the GlobalLock<\/code> must go down its slow code path,\nand it is in this slow code path that the function recognizes that the\nthe handle is downright invalid.\n<\/p>\n
\nBut once in a rare while, the bitmap handle happens to smell just\nenough like a fixed global handle that it passes the tests,\nand GlobalLock<\/code> uses its highly optimized code path\nwhere it says,\n“Okay, this is one of those fixed global handles that\nGlobalAlloc<\/code> created for me.\nI can just return the pointer back.”\nResult:\nThe call to GlobalLock<\/code> succeeds\n(garbage in, garbage out),\nand then you crash in the GlobalSize<\/code> function\nwhere it tries to use the HBITMAP<\/code> as if it were\na HGLOBAL<\/code> and access some of the memory block metadata,\nwhich isn’t there since the handle isn’t valid after all.\n<\/p>\n
\nThe bitmap handle is basically a random number from the global\nheap’s point of view, since it’s just some number that some other\ncomponent made up.\nIt’s not a global handle.\nIf you generate enough random numbers,\neventually one of them will look like a valid parameter.<\/p>\n","protected":false},"excerpt":{"rendered":"
One customer traced a problem they were having to the way they were calling a function similar in spirit to this one: HGLOBAL CopyClipboardData(UINT cf) { HGLOBAL hglob = NULL; HANDLE h = GetClipboardData(cf); if (h) { void *p = GlobalLock(h); if (p) { SIZE_T size = GlobalSize(h); hglob = GlobalAlloc(GMEM_FIXED, size); if (hglob) { […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-24683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
One customer traced a problem they were having to the way they were calling a function similar in spirit to this one: HGLOBAL CopyClipboardData(UINT cf) { HGLOBAL hglob = NULL; HANDLE h = GetClipboardData(cf); if (h) { void *p = GlobalLock(h); if (p) { SIZE_T size = GlobalSize(h); hglob = GlobalAlloc(GMEM_FIXED, size); if (hglob) { […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=24683"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24683\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=24683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=24683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=24683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}