{"id":28623,"date":"2006-12-22T10:00:00","date_gmt":"2006-12-22T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2006\/12\/22\/the-evolution-of-version-resources-corrupted-32-bit-version-resources\/"},"modified":"2006-12-22T10:00:00","modified_gmt":"2006-12-22T10:00:00","slug":"the-evolution-of-version-resources-corrupted-32-bit-version-resources","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20061222-00\/?p=28623","title":{"rendered":"The evolution of version resources – corrupted 32-bit version resources"},"content":{"rendered":"

\n\nLast time we looked at the format of 32-bit version resources<\/a>,\nbut I ended with the remark that what you saw purported to be\nthe resources of shell32.dll<\/code> but actually weren’t.\nWhat’s going on here?\n<\/p>\n

\nThe resources I presented last time were what the resources\nof shell32.dll<\/code> should have been<\/strong>,\nbut in fact they aren’t.\n<\/p>\n

\nA common mistake in generating 32-bit resources is to mistreat\nthe cbData<\/code> field of the structure I called a\nVERSIONNODE<\/code> as a count of characters<\/strong>\nrather than a count of bytes if the type is Unicode text.\nEven Microsoft’s own Resource Compiler has fallen into this trap!\nFor example, consider this VERSIONNODE<\/code> I presented last time:\n<\/p>\n

\n0098  4C 00         \/\/ cbNode (node ends at 0x0088 + 0x004C = 0x00D40)\n009A  2C 00         \/\/ cbData\n009C  01 00         \/\/ wType = 1 (string data)\n009E  43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00\n      61 00 6D 00 65 00 00 00\n                    \/\/ L\"CompanyName\" + null terminator\n00B6  00 00         \/\/ padding to restore alignment\n00B8  4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00\n      74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00\n      61 00 74 00 69 00 6F 00 6E 00 00 00\n                    \/\/ L\"Microsoft Corporation\" + null terminator\n00E4                \/\/ no padding needed\n<\/pre>\n
\nIn real life, the data take the following form:\n<\/p>\n
\n0098  4C 00         \/\/ cbNode (node ends at 0x0088 + 0x004C = 0x00D40)\n009A  16<\/font> 00         \/\/ cchData (!)<\/font>\n009C  01 00         \/\/ wType = 1 (string data)\n...\n<\/pre>\n
\nThese malformed version resources manage to get away without\ncrashing too horribly because the standard format of version resources\nuses string data only in leaf nodes.\nTherefore, the incorrect cbData<\/code> affects only the\nnode itself and doesn’t cause the child nodes to be parsed\nincorrectly (since there are no child nodes).\n<\/p>\n
\nUntil somebody tries to read, say,\n\\StringFileInfo\\040904B0\\CompanyName\\oops<\/code>.\nAfter the VerQueryValue<\/code> function locates\nthe VERSIONNODE<\/code> corresponding to CompanyName<\/code>,\nit tries to locate the first child node and, due to the incorrect\ncbData<\/code>, ends up misinterpreting the middle of the\nstring as if it were the start of a child VERSIONNODE<\/code>.\nThings only go downhill from there.\n<\/p>\n
\nThey’re just lucky that nobody actually asks for that.\n<\/p>\n
\nBut wait, there’s more.\nSomebody who calls\nthe VerQueryValueA<\/code> function expects to have the\nversion string returned as ANSI, so VerQueryValueA<\/code>\nneeds to know how many characters to convert from Unicode to ANSI.\nIf VerQueryValue<\/code> trusted the erroneous cbData<\/code>\nvalue, then ANSI callers would get only half the data they were expecting.\n<\/p>\n
\nAs a result of this mess, the VerQueryValue<\/code> function\nkeeps its eyes open and anticipates that the version resource it\nwas given to parse may have been generated by one of these buggy\nversion resource compilers and goes to some extra effort to accommodate\nthose bugs.<\/p>\n","protected":false},"excerpt":{"rendered":"
Last time we looked at the format of 32-bit version resources, but I ended with the remark that what you saw purported to be the resources of shell32.dll but actually weren’t. What’s going on here? The resources I presented last time were what the resources of shell32.dll should have been, but in fact they aren’t. […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-28623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"
Last time we looked at the format of 32-bit version resources, but I ended with the remark that what you saw purported to be the resources of shell32.dll but actually weren’t. What’s going on here? The resources I presented last time were what the resources of shell32.dll should have been, but in fact they aren’t. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/28623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=28623"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/28623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=28623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=28623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=28623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}