A reliability issue was identified where the Windows Calculator app crashes when handled a malformed payload through the ms-calculator:snapshot/ URI protocol. The crash occurs because the application fails to validate specific native-code invariants after successfully deserialng a JSON payload containing a UnaryCommand with zero commands.
While the input passes initial JSON validation, the subsequent logic in the native layer does not handle the empty command array, leading to a process termination via __fastfail in ucrtbase.dll.
Steps to Reproduce:
Open a web browser or the "Run" dialog (Win+R).
Paste the following URI (PoC):
ms-calculator:snapshot/{"HistoryContext":{"States":[{"HistoryItem":{"UnaryCommand":{"Commands":[]}}}]}}
Click "Open" on the Windows protocol consent dialog.
The Calculator app will attempt to launch and immediately crash.
Expected Behavior:
The application should validate the snapshot state and, if malformed or logically inconsistent, either ignore the command or revert to a default state (similar to the error handling implemented in the Initialize() method).
Technical Analysis & Evidence:
Crash Point: The crash occurs within RestoreFromSnapshot().
Root Cause: The JSON deserializer accepts the empty Commands array, but the native code invariant requires at least one command.
Faulting Module: ucrtbase.dll
Exception Code: 0xc0000409 (Stack Buffer Overrun / Fast Fail)
Event Viewer Log:
Faulting application name: CalculatorApp.exe, version: 11.2307.4.0
Faulting module name: ucrtbase.dll, version: 10.0.22621.608
Exception code: 0xc0000409
Fault offset: 0x000000000007f61e
Suggested Fix:
Implement a validation check or a try/catch block within RestoreFromSnapshot() in Calculator.cpp (or the relevant ViewModel logic) to match the robust initialization logic found in the standard Initialize() path. Specifically, verify that UnaryCommand objects contain valid command sequences before processing.
MSRC_Disclosure_WindowsCalculator.zip
A reliability issue was identified where the Windows Calculator app crashes when handled a malformed payload through the ms-calculator:snapshot/ URI protocol. The crash occurs because the application fails to validate specific native-code invariants after successfully deserialng a JSON payload containing a UnaryCommand with zero commands.
While the input passes initial JSON validation, the subsequent logic in the native layer does not handle the empty command array, leading to a process termination via __fastfail in ucrtbase.dll.
Steps to Reproduce:
Open a web browser or the "Run" dialog (Win+R).
Paste the following URI (PoC):
ms-calculator:snapshot/{"HistoryContext":{"States":[{"HistoryItem":{"UnaryCommand":{"Commands":[]}}}]}}
Click "Open" on the Windows protocol consent dialog.
The Calculator app will attempt to launch and immediately crash.
Expected Behavior:
The application should validate the snapshot state and, if malformed or logically inconsistent, either ignore the command or revert to a default state (similar to the error handling implemented in the Initialize() method).
Technical Analysis & Evidence:
Crash Point: The crash occurs within RestoreFromSnapshot().
Root Cause: The JSON deserializer accepts the empty Commands array, but the native code invariant requires at least one command.
Faulting Module: ucrtbase.dll
Exception Code: 0xc0000409 (Stack Buffer Overrun / Fast Fail)
Event Viewer Log:
Faulting application name: CalculatorApp.exe, version: 11.2307.4.0
Faulting module name: ucrtbase.dll, version: 10.0.22621.608
Exception code: 0xc0000409
Fault offset: 0x000000000007f61e
Suggested Fix:
Implement a validation check or a try/catch block within RestoreFromSnapshot() in Calculator.cpp (or the relevant ViewModel logic) to match the robust initialization logic found in the standard Initialize() path. Specifically, verify that UnaryCommand objects contain valid command sequences before processing.
MSRC_Disclosure_WindowsCalculator.zip