uiautomationcore!MessageBuilder::WriteEventArgs has bug???

Question

can somebody review code of the function uiautomationcore!MessageBuilder::WriteEventArgs

dll version as below:

Loaded symbol image file: uiautomationcore.dll
    Image path: C:\Windows\System32\uiautomationcore.dll
    Image name: uiautomationcore.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Jul 14 09:10:53 2009 (4A5BDB1D)
    CheckSum:         0009856F
    ImageSize:        0008C000
    File version:     7.0.0.0
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UIAutomationCore.dll
    OriginalFilename: UIAutomationCore.dll
    ProductVersion:   6.1.7600.16385
    FileVersion:      7.0.0.0 (win7_rtm.090713-1255)
    FileDescription:  Microsoft UI Automation Core
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

I disassembly this function, and found a bug.

HRESULT MessageBuilder::WriteEventArgs(struct xxx* p1, unsigned int p2)
{
	MessageBuilder* pThis = this;
	
	HRESULT hr;

	unsigned int type = [p1+0]; // seems param count...
	hr = this->WriteByte(type);
	if ( FAILED(hr) )
		return hr;

	hr = this->WriteAutomationId([ebx+4], 2);
	if ( FAILED(hr) )
		return hr;
	
	switch ( type )
	{
		case 0:
		{
			// do nothing
			hr = S_OK;
		}
		break;
		case 1:
		{
			hr = this->WriteAutomationId([p1+8], 0);
			if ( FAILED(hr) )
				break;
			
			hr = this->WriteObj();
			if ( FAILED(hr) )
				break;
			
			hr = this->WriteObj();
		}
		break;
		case 2:
		{
			hr = this->WriteByte([p1+8]);
			if ( FAILED(hr) )
				break;
			
			hr = this->WriteIntArray([p1+0Ch], [p1+10h]);
		}
		break
		case 3:
		{
			hr = this->WriteByte([p1+8]);
			if ( FAILED(hr) )
				break;
			
			hr = this->WriteDouble((double)[p1+10h]);				
		}
		break;
		case 4:
		{
			hr = this->WriteIntArray([p1+8], [p1+0Ch]);
		}
		break;
		default:
		{
			Error::ProtocolError(L"Recived invalid enum for EventArgsType");
		}
		break;
	}

	return hr;
}

when type is not in [0-4], return value is undefined. maybe I'm wrong, but can anybody verify this ? thanks in advance.

assembly code

uf uiautomationcore!MessageBuilder::WriteEventArgs
uiautomationcore!MessageBuilder::WriteEventArgs:
63ad1fe5 8bff            mov     edi,edi
63ad1fe7 55              push    ebp
63ad1fe8 8bec            mov     ebp,esp
63ad1fea 51              push    ecx
63ad1feb 53              push    ebx
63ad1fec 8b5d08          mov     ebx,dword ptr [ebp+8]
63ad1fef 56              push    esi
63ad1ff0 57              push    edi
63ad1ff1 ff33            push    dword ptr [ebx]
63ad1ff3 8bf1            mov     esi,ecx
63ad1ff5 8975fc          mov     dword ptr [ebp-4],esi
63ad1ff8 e803ebffff      call    uiautomationcore!MessageBuilder::WriteByte (63ad0b00)
63ad1ffd 85c0            test    eax,eax
63ad1fff 7c78            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x1c:
63ad2001 8b4304          mov     eax,dword ptr [ebx+4]
63ad2004 6a02            push    2
63ad2006 50              push    eax
63ad2007 8bce            mov     ecx,esi
63ad2009 e8d9edffff      call    uiautomationcore!MessageBuilder::WriteAutomationId (63ad0de7)
63ad200e 85c0            test    eax,eax
63ad2010 7c67            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x2d:
63ad2012 8b03            mov     eax,dword ptr [ebx]
63ad2014 83e800          sub     eax,0
63ad2017 745e            je      uiautomationcore!MessageBuilder::WriteEventArgs+0x92 (63ad2077)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x34:
63ad2019 48              dec     eax
63ad201a 7464            je      uiautomationcore!MessageBuilder::WriteEventArgs+0x9b (63ad2080)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x37:
63ad201c 48              dec     eax
63ad201d 7439            je      uiautomationcore!MessageBuilder::WriteEventArgs+0x73 (63ad2058)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x3a:
63ad201f 48              dec     eax
63ad2020 7417            je      uiautomationcore!MessageBuilder::WriteEventArgs+0x54 (63ad2039)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x3d:
63ad2022 48              dec     eax
63ad2023 740c            je      uiautomationcore!MessageBuilder::WriteEventArgs+0x4c (63ad2031)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x40:
63ad2025 6838a6aa63      push    offset uiautomationcore!`string' (63aaa638)
63ad202a e85dfbfeff      call    uiautomationcore!Error::ProtocolError (63ac1b8c)
63ad202f eb48            jmp     uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x4c:
63ad2031 ff730c          push    dword ptr [ebx+0Ch]
63ad2034 ff7308          push    dword ptr [ebx+8]
63ad2037 eb33            jmp     uiautomationcore!MessageBuilder::WriteEventArgs+0x87 (63ad206c)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x54:
63ad2039 ff7308          push    dword ptr [ebx+8]
63ad203c 8bce            mov     ecx,esi
63ad203e e8bdeaffff      call    uiautomationcore!MessageBuilder::WriteByte (63ad0b00)
63ad2043 85c0            test    eax,eax
63ad2045 7c32            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x62:
63ad2047 dd4310          fld     qword ptr [ebx+10h]
63ad204a 51              push    ecx
63ad204b 51              push    ecx
63ad204c 8bce            mov     ecx,esi
63ad204e dd1c24          fstp    qword ptr [esp]
63ad2051 e8dceaffff      call    uiautomationcore!MessageBuilder::WriteDouble (63ad0b32)
63ad2056 eb1b            jmp     uiautomationcore!MessageBuilder::WriteEventArgs+0x8e (63ad2073)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x73:
63ad2058 ff7308          push    dword ptr [ebx+8]
63ad205b 8bce            mov     ecx,esi
63ad205d e89eeaffff      call    uiautomationcore!MessageBuilder::WriteByte (63ad0b00)
63ad2062 85c0            test    eax,eax
63ad2064 7c13            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x81:
63ad2066 ff7310          push    dword ptr [ebx+10h]
63ad2069 ff730c          push    dword ptr [ebx+0Ch]

uiautomationcore!MessageBuilder::WriteEventArgs+0x87:
63ad206c 8bce            mov     ecx,esi
63ad206e e8b4ebffff      call    uiautomationcore!MessageBuilder::WriteIntArray (63ad0c27)

uiautomationcore!MessageBuilder::WriteEventArgs+0x8e:
63ad2073 85c0            test    eax,eax
63ad2075 7c02            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0x92:
63ad2077 33c0            xor     eax,eax

uiautomationcore!MessageBuilder::WriteEventArgs+0x94:
63ad2079 5f              pop     edi
63ad207a 5e              pop     esi
63ad207b 5b              pop     ebx
63ad207c c9              leave
63ad207d c20800          ret     8

uiautomationcore!MessageBuilder::WriteEventArgs+0x9b:
63ad2080 8b4308          mov     eax,dword ptr [ebx+8]
63ad2083 6a00            push    0
63ad2085 50              push    eax
63ad2086 8bce            mov     ecx,esi
63ad2088 e85aedffff      call    uiautomationcore!MessageBuilder::WriteAutomationId (63ad0de7)
63ad208d 85c0            test    eax,eax
63ad208f 7ce8            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0xac:
63ad2091 ff750c          push    dword ptr [ebp+0Ch]
63ad2094 8b4dfc          mov     ecx,dword ptr [ebp-4]
63ad2097 83ec10          sub     esp,10h
63ad209a 8bfc            mov     edi,esp
63ad209c 8d7310          lea     esi,[ebx+10h]
63ad209f a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20a0 a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20a1 a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20a2 a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20a3 e86efaffff      call    uiautomationcore!MessageBuilder::WriteObj (63ad1b16)
63ad20a8 85c0            test    eax,eax
63ad20aa 7ccd            jl      uiautomationcore!MessageBuilder::WriteEventArgs+0x94 (63ad2079)  Branch

uiautomationcore!MessageBuilder::WriteEventArgs+0xc7:
63ad20ac ff750c          push    dword ptr [ebp+0Ch]
63ad20af 8b4dfc          mov     ecx,dword ptr [ebp-4]
63ad20b2 83ec10          sub     esp,10h
63ad20b5 8bfc            mov     edi,esp
63ad20b7 8d7320          lea     esi,[ebx+20h]
63ad20ba a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20bb a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20bc a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20bd a5              movs    dword ptr es:[edi],dword ptr [esi]
63ad20be e853faffff      call    uiautomationcore!MessageBuilder::WriteObj (63ad1b16)
63ad20c3 ebae            jmp     uiautomationcore!MessageBuilder::WriteEventArgs+0x8e (63ad2073)  Branch

Answer 1

Hi DianDianDie,

感谢在MSDN论坛发帖。

>>when type is not in [0-4], return value is undefined. maybe I'm wrong, but can anybody verify this ? thanks in advance.

在我看来，返回值并不是不确定的。返回之前，hr会被赋值为WriteAutomationId的结果。并且如果你的值不在0-4的范围内，会触发一个Error::ProtocolError。意味着虽然服务器接收的响应完成，但是有协议错误。所以这并不属于bug。

希望可以帮助到你。

-----

Thanks for posting here.

This forum is a Chinese forum. If your mother tongue is English, please post on this forum.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=vcgeneral

In my opinion, the return value is not undefined. Before it returns, it will be set to the result of WriteAutomationId. And if the type is not in [0-4], there will be a Error::ProtocolError which means the response received from the server was complete but indicated a protocol-level error.

Hope this could be help of you.

Best Regards,
Sera Yu

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 2

hi，Sera Yu!

非常感谢回复！
我看了下uiautomationcore!Error::ProtocolError函数的汇编码，貌似没有啥特殊处理，只是记录了下error！

逆向能力有限，也许是我没注意到某些地方？
下面的汇编码是调用WriteEventArgs的地方，如果该函数返回值错误的话，后面的应该也会受到影响，具体啥影响还没看！只是觉得这个函数内部的处理的不够周全！

uiautomationcore!RemoteEventCallbackProxy::CrossProcess_OnEvent+0x8c:
63ac3a58 ff760c          push    dword ptr [esi+0Ch]
63ac3a5b 8d8de8efffff    lea     ecx,[ebp-1018h]
63ac3a61 57              push    edi
63ac3a62 e87ee50000      call    uiautomationcore!MessageBuilder::WriteEventArgs (63ad1fe5)
63ac3a67 85c0            test    eax,eax
63ac3a69 7caa            jl      uiautomationcore!RemoteEventCallbackProxy::CrossProcess_OnEvent+0x49 (63ac3a15)  Branch

uiautomationcore!RemoteEventCallbackProxy::CrossProcess_OnEvent+0x9f:
63ac3a6b ff760c          push    dword ptr [esi+0Ch]
63ac3a6e 8d8de8efffff    lea     ecx,[ebp-1018h]
63ac3a74 ffb5e0efffff    push    dword ptr [ebp-1020h]
63ac3a7a 53              push    ebx
63ac3a7b e8e3e20000      call    uiautomationcore!MessageBuilder::WriteCacheResponse (63ad1d63)
63ac3a80 85c0            test    eax,eax
63ac3a82 7c91            jl      uiautomationcore!RemoteEventCallbackProxy::CrossProcess_OnEvent+0x49 (63ac3a15)

顺便说一句：

可以说中文啊，真好

Answer 3

>>下面的汇编码是调用WriteEventArgs的地方，如果该函数返回值错误的话，后面的应该也会受到影响，具体啥影响还没看！只是觉得这个函数内部的处理的不够周全！

hr = this->WriteByte(type);
if ( FAILED(hr) )
	return hr;

从这段代码来看，如果范围超过0-4，返回的hr应该为S_OK。类似于Case 0，只是添加了错误处理。应该不会有影响。Error::ProtocolError具体做什么暂时还看不出来。可能会触发exception也可能只是单纯的记录错误。需要查看函数定义才能知道。

Best Regards,
Sera Yu

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 4

从这段代码来看，如果范围超过0-4，返回的hr应该为S_OK。类似于Case 0，只是添加了错误处理。应该不会有影响。Error::ProtocolError具体做什么暂时还看不出来。可能会触发exception也可能只是单纯的记录错误。需要查看函数定义才能知道。

就是这里返回了一个S_OK 我觉得不太合理！因为调用Error::ProtocolError
应该是出错了，至于对后面的影响是啥不清楚，算了，现在先不管了！
精力有限！

再次感谢回复！