Serious command processor bug

This is definitely the weirdest bug I've seen in 12 years! We lost a full day just tracking down this issue.


We found that cmd.exe silently drops the 8191st char of a long enough command. Furthermore, this bug occurs in Windows 7 clients as well.


This simple batch echoes a sequence of zeroes and ones, clearly exposing this bug:

@echo 01010101010101010101
@pause > nul

8191test.png


Best regards,

George Weinburg

May 24th, 2015 8:34am

Hi George,

I have tried to make a test according to your descriptions on my Winodws 7 machine(x64,x32) and Windows 8.1 machine. Both of them share the same symptom as yours, but I made more tests.

1.I changed the first char "0" to "1", the last char will be "1" all the time.
2.I tried to shorten the chars one by one both from the top and the end. I found that the output will be shorten, too.
3.I tried to modify all the chars to "0" then "1". For the "0"scenerio, the last char will be "0".But both of them will meet the same limit.(I didn`t count one by one,I counted the last line, both of them are "31" chars.)

According to these testing, we can make a conclusion that there is a limit of the output. If the output over the limit and the rest of the chars isn`t a zero number(test 3), they will be replaced with "1".

For the test 2, it seems that there is still something to dig out.

Best regards

Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 9:37am

That's interesting MeipoXu, thanks!

We should add that this issue doesn't depend on numbers, it happens with any command as well.

8191text.png

June 1st, 2015 11:05am

The mystery is over, we found the bug.

Your token parser always drops the last char of the token buffer! Writing the current char immediately after TextCheck() should fix this.

Address        Hex dump              Command
; Jump from Lex+9D
cmd.Lex+AD4    +> +66:8B45 FC        MOV AX,SS:[LOCAL.1]
cmd.Lex+AD8    .  834D 10 40        OR DWORD PTR SS:[ARG.3],00000040
cmd.Lex+ADC    .  66:8906           MOV DS:[ESI],AX
cmd.Lex+ADF    .  8325 9841A74A 00  AND DWORD PTR DS:[AtIsToken],00000000
cmd.Lex+AE6    .  46                INC ESI
cmd.Lex+AE7    .  46                INC ESI
cmd.Lex+AE8    .  8BFE              MOV EDI,ESI
cmd.Lex+AEA    .  2B7D F8           SUB EDI,SS:[LOCAL.2]
cmd.Lex+AED    .  D1FF              SAR EDI,1
; Grab a char from the text buffer...
cmd.Lex+AEF    >  8D45 10           +LEA EAX,[ARG.3]
cmd.Lex+AF2    .  50                PUSH EAX
cmd.Lex+AF3    .  8D45 FC           LEA EAX,[LOCAL.1]
cmd.Lex+AF6    .  50                PUSH EAX
cmd.Lex+AF7    .  8975 08           MOV SS:[ARG.1],ESI
cmd.Lex+AFA    .  E8 6BF7FFFF       CALL TextCheck
cmd.Lex+AFF    .  3BC3              CMP EAX,EBX
cmd.Lex+B01    .  74 14             JE SHORT 4AA5283D
; BUG: break if TokBufLength - 1 = CurrentPos BEFORE writing current char!
cmd.Lex+B03    .  8B45 0C           MOV EAX,SS:[ARG.2]
cmd.Lex+B06    .  48                DEC EAX
cmd.Lex+B07    .  3BF8              CMP EDI,EAX
cmd.Lex+B09    .  7D 0C             JGE SHORT 4AA5283D
; Any token longer than TokBufLength (8192 bytes) will expose this bug...
cmd.Lex+B0B    .  66:8B45 FC        MOV AX,SS:[LOCAL.1]
cmd.Lex+B0F    .  66:8906           MOV DS:[ESI],AX
cmd.Lex+B12    .  46                INC ESI
cmd.Lex+B13    .  46                INC ESI
cmd.Lex+B14    .  47                INC EDI
cmd.Lex+B15    .  EB D8             +JMP SHORT 4AA52815
cmd.Lex+B17    >  8365 10 BF        AND DWORD PTR SS:[ARG.3],FFFFFFBF
cmd.Lex+B1B    .  33C0              XOR EAX,EAX
cmd.Lex+B1D    .  66:8906           MOV DS:[ESI],AX
cmd.Lex+B20    .  8B45 0C           MOV EAX,SS:[ARG.2]
cmd.Lex+B23    .  8D48 FF           LEA ECX,[EAX-1]
cmd.Lex+B26    .  3BF9              CMP EDI,ECX
cmd.Lex+B28    .  7D 05             JGE SHORT 4AA52855
cmd.Lex+B2A    .  E8 22F7FFFF       CALL UnGetByte
cmd.Lex+B2F    >  3BF8              CMP EDI,EAX
cmd.Lex+B31    .  0F8D 81470100     JGE 4AA66FDE
cmd.Lex+B37    >  B8 00400000       MOV EAX,4000
cmd.Lex+B3C    +.  E9 B3F5FFFF       JMP 4AA51E1A
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2015 4:01am

Hi Gerrge,

Thanks for updating.

Best regards

June 8th, 2015 2:37am

Given that I pinpointed exactly where and how to fix this nasty bug, can you forward this to someone that can actually apply this fix please? Do I really need to ask this at this point?
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 11:04pm

Hi George Weinburg,

After a deep research, I found that this is an known limitation of Windows XP and the later system. The link has explained a lot for us.
Here is the link for reference:
Command prompt (Cmd. exe) command-line string limitation
https://support.microsoft.com/en-us/kb/830473

We can try the method included in the link to  work around the limitation.
"Modify programs that require long command lines so that they use a file that contains the parameter information, and then include the name of the file in the command line.
For example, instead of using the ExecutableFile.exe Parameter1 Parameter2 ...ParameterN command line in a batch file, modify the program to use a command line that is similar to the following command line, where ParameterFile is a file that contains the required parameters (parameter1 parameter2 ...ParameterN):
ExecutableFile.exe c:\temp\ParameterFile.txt "

Best r

June 11th, 2015 3:38am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics