Skip to content

Code Quality: Sync the jump list with Explorer #17564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
0x5bfa wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Code Quality: Sync the jump list with Explorer #17564

0x5bfa wants to merge 10 commits into from
+1,240 −368

Conversation

@0x5bfa
Copy link
Member

@0x5bfa 0x5bfa commented Sep 7, 2025
edited
Loading

Resolved / Related Issues

TODOs

  • Completely deletes the binaries for the Files' jump list on startup and on every update
  • Watches the changes to the Explorer's jump list
  • Watches the changes to the Files' jump list
  • Replicates the Explorer's jump list to the Files' jump list
  • Replicates the Files' jump list to the Explorer's jump list

Steps used to test these changes

  • Build the app
  • Cold-launch the app
  • See its jump list being the same as the Explorer's jump list
  • Pin/unpin an item from the Explorer's jump list
  • See that of Files also gets updated
  • Do the way around of above
image image

@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch from 71afbb3 to 9eb7ae9 Compare September 7, 2025 17:00
@0x5bfa 0x5bfa changed the title Code Quality: Sync the jump list with Explorer Code Quality: Sync the jump list with Explorer at the startup Sep 7, 2025
@yaira2 yaira2 added the ready for review Pull requests that are ready for review label Sep 7, 2025
yaira2
yaira2 reviewed Sep 7, 2025
View reviewed changes
yaira2
yaira2 reviewed Sep 7, 2025
View reviewed changes
yaira2
yaira2 reviewed Sep 7, 2025
View reviewed changes
yaira2
yaira2 reviewed Sep 7, 2025
View reviewed changes
@0x5bfa 0x5bfa marked this pull request as draft September 9, 2025 19:04
@yaira2 yaira2 force-pushed the main branch 2 times, most recently from 97999e5 to 806f922 Compare September 9, 2025 21:12
@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch 3 times, most recently from 278a971 to 33efe98 Compare September 11, 2025 09:45
@0x5bfa 0x5bfa marked this pull request as ready for review September 11, 2025 09:45
@0x5bfa 0x5bfa changed the title Code Quality: Sync the jump list with Explorer at the startup Code Quality: Sync the jump list with Explorer Sep 14, 2025
@yaira2
Copy link
Member

yaira2 commented Sep 14, 2025

This might help with #14526

@yaira2 yaira2 mentioned this pull request Sep 17, 2025
Open
@Josh65-2201
Copy link
Member

Josh65-2201 commented Sep 19, 2025

Would this fix #17659

@yaira2
Copy link
Member

yaira2 commented Sep 19, 2025

Would this fix #17659

I think so. @0x5bfa can you confirm?

@yaira2 yaira2 mentioned this pull request Sep 19, 2025
Open
@0x5bfa
Copy link
Member Author

0x5bfa commented Sep 19, 2025
edited
Loading

Yes. This is one of the motivation. (I updated the PR to include this)

@Josh65-2201 Josh65-2201 mentioned this pull request Sep 23, 2025
Closed
@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch from a038857 to 3669604 Compare September 29, 2025 14:53
@yaira2 yaira2 removed the ready for review Pull requests that are ready for review label Sep 29, 2025
@yaira2 yaira2 marked this pull request as draft September 29, 2025 22:14
@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch from 9daefd6 to 032a523 Compare September 30, 2025 13:04
@yaira2 yaira2 force-pushed the 5bfa/CQ-JumpListManager branch from 7529df0 to ec45efa Compare November 15, 2025 23:46
@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch 2 times, most recently from edbda5e to 816fcdc Compare November 16, 2025 15:31
@0x5bfa 0x5bfa force-pushed the 5bfa/CQ-JumpListManager branch from c627341 to 93b5b34 Compare December 17, 2025 19:37
@0x5bfa 0x5bfa marked this pull request as ready for review December 17, 2025 20:47
sentry[bot]
sentry bot reviewed Dec 17, 2025
View reviewed changes
sentry[bot]
sentry bot reviewed Dec 18, 2025
View reviewed changes
src/Files.App.Storage/Windows/Managers/JumpListManager.cs
Comment on lines +274 to +276
using ComHeapPtr<char> pszParseablePath = default;
pszParseablePath.Allocate(PInvoke.MAX_PATH);
hr = psl.Get()->GetArguments(pszParseablePath.Get(), (int)PInvoke.MAX_PATH);
Copy link

@sentry sentry bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: A buffer overflow occurs because memory for a character buffer is allocated in bytes (MAX_PATH), but the size is passed to a WinAPI function as a character count, effectively halving the buffer's safe capacity.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

The code allocates memory for string buffers using ComHeapPtr<char>.Allocate(PInvoke.MAX_PATH), which allocates 260 bytes. Since a C# char is a 2-byte wide character, this buffer can only hold 130 characters. However, subsequent calls to Windows APIs like GetArguments and GetFolderIconLocation are told the buffer can hold MAX_PATH (260) characters. If the path or argument string returned by the API is longer than 130 characters, a buffer overflow will occur, writing past the allocated memory and likely causing a crash. This issue is present in multiple locations within JumpListManager.cs.

💡 Suggested Fix

When allocating memory for wide character strings, ensure the byte count is correctly calculated. Modify the allocation call to pszParseablePath.Allocate(PInvoke.MAX_PATH * sizeof(char)) to allocate enough space for 260 characters, not 260 bytes. Apply this fix to all similar API calls in the file.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/Files.App.Storage/Windows/Managers/JumpListManager.cs#L274-L276

Potential issue: The code allocates memory for string buffers using
`ComHeapPtr<char>.Allocate(PInvoke.MAX_PATH)`, which allocates 260 bytes. Since a C#
`char` is a 2-byte wide character, this buffer can only hold 130 characters. However,
subsequent calls to Windows APIs like `GetArguments` and `GetFolderIconLocation` are
told the buffer can hold `MAX_PATH` (260) characters. If the path or argument string
returned by the API is longer than 130 characters, a buffer overflow will occur, writing
past the allocated memory and likely causing a crash. This issue is present in multiple
locations within `JumpListManager.cs`.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7681507

src/Files.App.Storage/Windows/Managers/JumpListManager.cs
Comment on lines +256 to +260
hr = pFilesICDL.Get()->EnumerateCategoryDestinations(indexOfRecentCategory, IID.IID_IObjectCollection, (void**)poc.GetAddressOf());

// Get the count of items in the "Recent" category
uint countOfItems = 0U;
hr = poc.Get()->GetCount(&countOfItems);
Copy link

@sentry sentry bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The return value of EnumerateCategoryDestinations is not checked. If the call fails, a subsequent method call on the uninitialized poc pointer will cause a null pointer dereference.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

The HRESULT returned from the COM call pFilesICDL.Get()->EnumerateCategoryDestinations(...) is not checked for failure. If this call fails, the poc ComPtr will remain uninitialized (null). The subsequent line immediately attempts to dereference this pointer by calling poc.Get()->GetCount(...), which will result in a null pointer dereference and cause an access violation crash. This type of failure can occur under various system conditions, such as resource pressure or corrupted file stores.

💡 Suggested Fix

Add an error check immediately after the call to EnumerateCategoryDestinations. If the returned HRESULT indicates a failure, the function should return the error code to prevent the application from attempting to use the uninitialized poc pointer. For example: if (FAILED(hr)) return hr;.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/Files.App.Storage/Windows/Managers/JumpListManager.cs#L256-L260

Potential issue: The `HRESULT` returned from the COM call
`pFilesICDL.Get()->EnumerateCategoryDestinations(...)` is not checked for failure. If
this call fails, the `poc` `ComPtr` will remain uninitialized (null). The subsequent
line immediately attempts to dereference this pointer by calling
`poc.Get()->GetCount(...)`, which will result in a null pointer dereference and cause an
access violation crash. This type of failure can occur under various system conditions,
such as resource pressure or corrupted file stores.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7681507

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaira2 yaira2 yaira2 left review comments

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@0x5bfa @yaira2 @Josh65-2201