starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-03 21:25:34 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

Conhost crash when using accessibility tools #4480

New Issue
Closed
opened 2026-01-30 23:48:46 +00:00 by claunia · 1 comment
claunia commented 2026-01-30 23:48:46 +00:00
Owner
Copy Link

Originally created by @j4james on GitHub (Oct 15, 2019).

Environment

Windows build number: Version 10.0.18362.295
Conhost build: commit df26c677ef

Any other software? Inspect from the 10.0.18362.0 SDK

Steps to reproduce

  1. Start a conhost session.
  2. Start the Inspect utility.
  3. Click on the top level window in the UI Automation tree that matches the conhost session.

Expected behavior

You should see details about the window in the right hand pane.

Actual behavior

I get an access violation in WindowUiaProviderBase::get_ProviderOptions because pOptions has a value of 0x13, which isn't a valid pointer. The crash can also happen in other places depending on what accessibility call is triggered first.

I believe this is a regression thatwas introduced in commit cdfbf8f106.

It's been a while since I've worked with COM, but I'm fairly certain you can't return an interface without a cast the way it is now being done in those QueryInterface methods. Otherwise the returned interface pointer won't be pointing to the correct vtable. And I suspect that's resulting in the wrong method being called by the code that is using the returned interface, hence the bogus parameter value (the parameter was likely intended for a completely different method).

Originally created by @j4james on GitHub (Oct 15, 2019). # Environment Windows build number: Version 10.0.18362.295 Conhost build: commit df26c677efcb815a3b66a974345c9d3483cab678 Any other software? [Inspect](https://docs.microsoft.com/en-us/windows/win32/winauto/inspect-objects) from the 10.0.18362.0 SDK # Steps to reproduce 1. Start a conhost session. 2. Start the Inspect utility. 3. Click on the top level window in the UI Automation tree that matches the conhost session. # Expected behavior You should see details about the window in the right hand pane. # Actual behavior I get an access violation in [`WindowUiaProviderBase::get_ProviderOptions`](https://github.com/microsoft/terminal/blob/429af0e6fa80412f1e9185845d856e3497a6cf78/src/types/WindowUiaProviderBase.cpp#L69) because `pOptions` has a value of 0x13, which isn't a valid pointer. The crash can also happen in other places depending on what accessibility call is triggered first. I believe this is a regression thatwas introduced in commit cdfbf8f1064db75c23f417c20c20567c3054f0ad. It's been a while since I've worked with COM, but I'm fairly certain you can't return an interface without a cast the way it is now being done in those `QueryInterface` methods. Otherwise the returned interface pointer won't be pointing to the correct vtable. And I suspect that's resulting in the wrong method being called by the code that is using the returned interface, hence the bogus parameter value (the parameter was likely intended for a completely different method).
claunia commented 2026-01-30 23:48:48 +00:00
Author
Owner
Copy Link

@DHowett-MSFT commented on GitHub (Oct 15, 2019):

Yeah ☹️ this'll be fixed by #3051, but we should get something in a bit quicker.

@DHowett-MSFT commented on GitHub (Oct 15, 2019): Yeah ☹️ this'll be fixed by #3051, but we should get something in a bit quicker.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Area-Accessibility Issue-Bug Needs-Tag-Fix Product-Conhost Product-Terminal Resolution-Fix-Committed Severity-Crash
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#4480
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?