V750. BSTR string becomes invalid. Notice that BSTR strings store their length before start of the text.


The analyzer detected that inadmissible operations are executed over a BSTR string. A pointer of type BSTR must always refer to the first character of the string; if you shift the pointer by at least one character, you'll get an invalid BSTR string.

It means that code like the following example is very dangerous:

BSTR str = foo();
str++;

'str' can no longer be used as a BSTR string. If you need to skip one character, use the following code instead:

BSTR str = foo();
BSTR newStr = SysAllocString(str + 1);

If you don't need the BSTR string, rewrite the code in the following way:

BSTR str = foo();
const wchar_t *newStr = str;
newStr++;
Another version:
BSTR str = foo();
const wchar_t *newStr = str + 1;

To figure out why one must not change the value of a BSTR pointer, let's see the article form MSDN.

typedef wchar_t OLECHAR;
typedef OLECHAR * BSTR;

A BSTR (Basic string or binary string) is a string data type that is used by COM, Automation, and Interop functions. Use the BSTR data type in all interfaces that will be accessed from script.

  • Length prefix. A four-byte integer that contains the number of bytes in the following data string. It appears immediately before the first character of the data string. This value does not include the terminating null character.
  • Data string. A string of Unicode characters. May contain multiple embedded null characters.
  • Terminator. Two null characters.

A BSTR is a pointer. The pointer points to the first character of the data string, not to the length prefix.

BSTRs are allocated using COM memory allocation functions, so they can be returned from methods without concern for memory allocation.

The following code is incorrect:

BSTR MyBstr = L"I am a happy BSTR";

This code builds (compiles and links) correctly, but it will not function properly because the string does not have a length prefix. If you use a debugger to examine the memory location of this variable, you will not see a four-byte length prefix preceding the data string.

Instead, use the following code:

BSTR MyBstr = SysAllocString(L"I am a happy BSTR");

A debugger that examines the memory location of this variable will now reveal a length prefix containing the value 34. This is the expected value for a 17-byte single-character string that is converted to a wide-character string through the inclusion of the "L" string modifier. The debugger will also show a two-byte terminating null character (0x0000) that appears after the data string.

If you pass a simple Unicode string as an argument to a COM function that is expecting a BSTR, the COM function will fail.

I hope this excerpt has explained well enough why one can't simply change a pointer of type BSTR.

When using code like this:

BSTR str = foo();
str += 3;

the BSTR string gets spoiled. The pointer now refers somewhere to the middle of the string instead of its first character. So, if we attempt to read the string length at a negative offset, we'll get a random value. More specifically, the previous characters will be interpreted as the string length.

References:


Bugs Found

Checked Projects
355
Collected Errors
13 303