Is there a limit to the length of a document title in MFC?

Posted on 2014-10-28
Last Modified: 2015-05-19
I have an MDI app in which I set the document name for each document using SetTitle() as in:

      CString sTitle(lpszTitle);
      sTitle.FormatMessage(IDS_DESIGN_TITLE_FORMAT, (CString(lpszTitle) + L":"), sConfigNameOnly);


sConfigNameOnly is a CString that's 20 characters long.

This all works fine until I go to the "Windows" menu that shows the names of each document and allows me to switch between them - all normal stuff.

The "Windows" menu shows the full title of the document and shows a tootip with the same string when I hover over it , as it should.

The problem is that when a document's name is greater than 61 characters long (unicode in my case) the app crashes with a memory allocation error - the usual old:  

CRT detected that the application wrote to memory after end of heap buffer.

Is there an undocumented maximum length that a document's title can be?  Or am I doing something wrong in this code?

The error is detected on the ::free call in CMFCPopupMenuBar::OnToolHitTest() at line #35:

INT_PTR CMFCPopupMenuBar::OnToolHitTest(CPoint point, TOOLINFO* pTI) const

	if (m_bPaletteMode)
		return CMFCToolBar::OnToolHitTest(point, pTI);

	int nHit = ((CMFCPopupMenuBar*)this)->HitTest(point);
	if (nHit != -1)
		CMFCToolBarButton* pButton = DYNAMIC_DOWNCAST(CMFCToolBarButton, GetButton(nHit));

		if (pButton != NULL)
			if (pTI != NULL)
				pTI->uId = pButton->m_nID;
				pTI->hwnd = GetSafeHwnd();
				pTI->rect = pButton->Rect();

			if (!pButton->OnToolHitTest(this, pTI))
				nHit = pButton->m_nID;
			else if (pTI != NULL && pTI->lpszText != NULL)
				CString strText;

				if (pTI->lpszText != NULL)
					strText = pTI->lpszText;

				CString strDescr;
				CFrameWnd* pParent = GetParentFrame();
				if (pParent->GetSafeHwnd() != NULL && !pButton->IsKindOf (RUNTIME_CLASS(CMFCShowAllButton)))
					pParent->GetMessageString(pButton->m_nID, strDescr);

				CTooltipManager::SetTooltipText(pTI, m_pToolTip, AFX_TOOLTIP_TYPE_TOOLBAR, strText, strDescr);

	return nHit;

Open in new window

Question by:allanephillips
  • 2
LVL 31

Expert Comment

ID: 40408873
Hi allanephillips,

I'm not sure what's the limit for document title is but I'm sure it's not that small coz I just tested it with a MFC application I'm working with, there I can use document title with 200 characters without problem.

I would suspect it has to do anything with tooltip handling. Do you somewhere handle tooltip messages like TTN_NEEDTEXTW or in an overridden OnToolTipText or similar?

Overriding those functionalities can be dangerous because MFC internally in some places used static CStrings to store the text to be shown in a tooltip and just pass a pointer to that string to other message handlers. If somewhere this pointer is used to write a longer string the boundary of the previously allocated string is overwritten which would lead to a similar error as you describe.

LVL 33

Expert Comment

ID: 40408939
looks more that you detected a bug in the mfc.

the TOOLINFO structure passed by pointer to the CMFCPopupMenuBar::OnToolHitTest has a member pointer lpszText to a string buffer of arbitrary size. if the "button" of the popup menu was "hit", the function tries to free the tool tip text pointer if it is not NULL. in debug version the debugger has allocated some extra space behind the requested buffer size and has written a end sequence to that space. when freeing the buffer the debugger looks whether the end sequence has been overwritten somehow and throws the heap error which you encountered.

to find out which function was responsible for writing beyond the buffer size, you should choose "retry" when the error occurs and then look into the stack window. the last function called is CMFCPopupMenuBar::OnToolHitTest and one of the callers up in the stack hierarchy is responsible for allocating space to the pTI->lpszText member. it is a statement like

pTI->lpszText = (LPTSTR) ::calloc((strTipText.GetLength() + 1), sizeof(TCHAR));

Open in new window

if you were successful into locating the allocation statement, you could check why the requested length is too short. in the above statement you would look for the strTipText with the debugger and check whether it contained the full title or not.

you could report the error to Microsoft but as a work around you should use a shorter title.


Accepted Solution

allanephillips earned 0 total points
ID: 40409181
I did finally track down the problem.  When I searched for where the string was allocated I found that it was in an override OnMenuButtonToolHitTest() that I had created and I had called calloc() incorrectly (passed it the wrong arguments) so the buffer was too small.

LVL 33

Expert Comment

ID: 40784847
i would recommend to delete the question since the suspected limitation of the mfc title length turned out to be wrong and the final comment the author made actually cannot be looked on as a solution for the question.

i even doubt that it is a solution for the problem. mfc is a c++ framework and using malloc and calloc in an mfc event handler is a recipe for troubles such as crashes or memory leaks. i would assume that there are still issues even if the crash with the title could be avoided.


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now