CComVariant::ReadFromStream() returns Access Denied for stream >1MB

Article ID: 2831480 - View products that this article applies to.
Expand all | Collapse all


You have developed an application that uses CComVariant::ReadFromStream() to read data from a stream and it returns an Access Denied Error message for stream size > 1 MB.


Reviewing atlcomcli.h we find that the size has been set here:


#define _ATL_STREAM_MAX_SIZE  0x100000


and if the size of the stream increases the MAX length it should throw an Access Denied error.

else if (cbStrLen > _ATL_STREAM_MAX_SIZE)


          ATLTRACE(atlTraceCOM, 0, _T("String exceeded the maximum allowed size see _ATL_STREAM_MAX_SIZE."));

          hr = E_ACCESSDENIED;



If you have valid scenario where you are streaming data as BSTR that is larger than the predefined size you can change it. However, if you are using any untrusted code this workaround should not be employed.

One approach would be to override CCOmVariant::ReadFromStream().

Another way is to change _ATL_STREAM_MAX_SIZE itself.

More Information

We are reading from a stream and the stream can be from untrusted source. The MAX value is there to catch any issues with streams that have been manipulated to try the code to allocate huge amount of memory causing DOS attacks.

Inside the Active Template Library (ATL) Security Update

Active Template Library Security Update for Developers

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.


Article ID: 2831480 - Last Review: April 17, 2013 - Revision: 3.0
Applies to
  • Microsoft Visual Studio 2005 Service Pack 1
  • Microsoft Visual Studio 2008 Service Pack 1
  • Microsoft Visual Studio 2010 Service Pack 1
  • Microsoft Visual Studio Professional 2012

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from