© 2001 Microsoft Corporation. All rights reserved.
All QFEs for Windows CE 3.0 require the following:
1) Platform Builder 3.0 is installed on the machine.
2) The Platform Builder 3.0 Add-On pack is installed on the machine.
3) The current user has run Platform Builder 3.0 at least once.
Please download the file(s) most appropriate for your installation, as follows:
020104_ARM720_WCE30-QFE_ALL.EXE For installations based upon the ARM 720 (32-bit) processor
020104_SA1100_WCE30-QFE_ALL.EXE For installations based upon the StrongARM (SA11xx) based processor
020104_R3000_WCE30-QFE_ALL.EXE For installations based upon the MIPS R3000 processor
020104_R4100_WCE30-QFE_ALL.EXE For installations based upon the MIPS R4100 processor
020104_R4111_WCE30-QFE_ALL.EXE For installations based upon the MIPS R4111 processor
020104_R4300_WCE30-QFE_ALL.EXE For installations based upon the MIPS R4300 processor
020104_PPC403_WCE30-QFE_ALL.EXE For installations based upon the Motorola PPC 403 processor
020104_PPC821_WCE30-QFE_ALL.EXE For installations based upon the Motorola PPC 821 processor
020104_SH3_WCE30-QFE_ALL.EXE For installations based upon the Hitachi SH3 processor
020104_SH4_WCE30-QFE_ALL.EXE For installations based upon the Hitachi SH4 processor
020104_THUMB_WCE30-QFE_ALL.EXE For installations based upon the ARM 720 (16-bit) based processor
020104_X86_WCE30-QFE_ALL.EXE For installations based upon the x86 processor
This QFE package is a collection of all QFEs produced through December 31, 2001 for Windows CE 3.0 (QFEs 1-84). If you have installed all 84 QFEs for Windows CE 3.0, this installation is not necessary.
This package will install all QFEs directly to your build environment. A backup of all updated files will be maintained at the following location: %_WINCEROOT%\BACKUP. You can remove any files from this directory at your choosing.
If you have installed previous QFEs (for Windows CE 3.0), this will update your build environment to include all the latest files.
020104_ARM720_WCE30-QFE_ALL_JPN.EXE For installations based upon the ARM 720 (32-bit) processor
020104_SA1100_WCE30-QFE_ALL_JPN.EXE For installations based upon the StrongARM (SA11xx) based processor
020104_R3000_WCE30-QFE_ALL_JPN.EXE For installations based upon the MIPS R3000 processor
020104_R4100_WCE30-QFE_ALL_JPN.EXE For installations based upon the MIPS R4100 processor
020104_R4111_WCE30-QFE_ALL_JPN.EXE For installations based upon the MIPS R4111 processor
020104_R4300_WCE30-QFE_ALL_JPN.EXE For installations based upon the MIPS R4300 processor
020104_PPC403_WCE30-QFE_ALL_JPN.EXE For installations based upon the Motorola PPC 403 processor
020104_PPC821_WCE30-QFE_ALL_JPN.EXE For installations based upon the Motorola PPC 821 processor
020104_SH3_WCE30-QFE_ALL_JPN.EXE For installations based upon the Hitachi SH3 processor
020104_SH4_WCE30-QFE_ALL_JPN.EXE For installations based upon the Hitachi SH4 processor
020104_THUMB_WCE30-QFE_ALL_JPN.EXE For installations based upon the ARM 720 (16-bit) based processor
020104_X86_WCE30-QFE_ALL_JPN.EXE For installations based upon the x86 processor
If this message is displayed, it means that you have installed a QFE package with a later version of the installed file. You will already have the updates mentioned in this document, including something later (documented with that later QFE). This message is displayed to prevent accidental overwrite of the latest Windows CE QFE to that particular component.
Component: AFDLIB
QFE 12 - Resolver code did not allow resolution of host names containing '-' character.
Component: Asyncmac
QFE 3 - After send/download failure, connection stays open.
QFE
23 - Race
condition with TAPI and asyncmac
QFE 56 - Unable to access internet through SLIP connection due to framing issue in ASYCNMAC
Component: DEVICE
QFE 61 - Failure to check for null after LocalAlloc in device.exe.
Component: DHCP
QFE 51 - DHCP client fails when 2 DHCP servers are present.
QFE 55 -
Windows CE 3.0 DHCP client
fails when receiving a DHCPACK message with a subnet mask, but the previous
DHCPOFFER didn’t send such information.
The way DHCP works (RFC2131) is that a client requesting for an IP configuration
broadcasts a message of type DHCPDISCOVER. If a DHCP server is on that network,
it may reply to the client with a message of type DHCPOFFER containing a
proposed IP configuration (IP address, subnet mask, Gateway address, etc.).The
client may send back a DHCPREQUEST message where it formally requests for the IP
configuration previously proposed. At this point, the server may commit the
address and send a DHCPACK message to the client with the committed IP
configuration.
What we have in our case is that Windows ME ICS doesn’t send a subnet mask in the DHCPOFFER (which eventually is interpreted by the Windows CE 3.0 client as 0.0.0.0) but it does in the following DHCPACK. The Windows CE 3.0 client checks this discrepancy and, since there’s a mismatch, it doesn’t adopt the IP configuration.
Component: DirectX
QFE 40 - DirectSound - If there is more than one sound device in the system, DirectSound may hit an infinite loop.
QFE 42 - DirectSound - In CE 3.0, MPG4DS32.DLL contains a function, Yuv2Rgb555MB, written in assembly language, to convert from YUV color values to RGB color values. The function spans two memory pages. The function also uses memory below ESP (i.e. mov dword ptr [ESP-68h], eax) as scratch/temporary storage space for some variables. If a page fault occurs while executing the function, then the scratch space will be overwritten by the OS while handling the page fault since the OS uses the app’s stack. After the page fault, the function will end up using the data from the overwritten scratch space which can cause an access violation.
QFE 42 - DirectSound - Improve MMX detection for Natsemi Geode Processor.
QFE 45 - DirectDraw - DirectDraw is incorrectly detecting the overflow return code from GetRegionData and not returning an error to the user.
QFE 46 - DirectDraw - PropertyBag interface for selecting DirectSound audio device was unnecessarily #ifdef’d to return E_NOTIMPL under Windows CE. This prevented selecting a secondary audio device under DirectShow.
QFE 73 - DDCORE - A crash may occur in DDCORE when shutting down an application from a script.
Component: FATFS
QFE 22 - FATFS renames folder incorrectly on resume.
QFE 22 - FATFS file access time grows proportionally with each file.
QFE 63 - H/PC 2000 device will hang when a program in FlushROM is loaded. Some functions try to read a file which is in an ATAcard or FlushROM upon Resume. During this time, the system can not access these devices. A thread will wait while holding LLcs Critical Section Object so that another thread can not get the Critical Section Object.
QFE 76 - This fix is ported from BirchSP2 QFE 32. It is similar to BirchSP2 QFE 30, where the system deadlocks on suspend/resume while accessing the FAT file system device (PCMCIA in this case). The difference in this case is that the deadlock happens when a non-kernel process (IE) is making the access to the file system.
Component: FATMAIN
QFE 11 - There is a problem with FATFS which is used by RegCopyFile() API to write to storage device. The problem is that it rewinds streams as it writes them in order to recalculate the correct data position to be written to a multiple sector cluster. This slows down the write process for large streams as it has to follow several links to get to the desired position. This was done to correct data corruption that occurred when wrong bytes were written to sectors.
QFE 83 - If an attempt to move a file is made, and that file is being held open by another process, the MoveFile() API fails with error 0x80070005 (Access Denied) if the file is stored on a FAT volume. This is different from what happens when using the RAM file system (the RAM file system allows this).
Component: FPEMUL
QFE 60 - This change only affects x86-based processors. FSTP 64bit instruction emulation code was bugged. FLD/FSTP instruction pair is being used to transfer 64bit values in memory by eVB/VB6.0, thus preventing eVB/VB6 to be used with i486 processors without a floating point coprocessor.
Component: FSDMGR
QFE 58 - The FSDMGR component was accessing kernel data structures during suspend/resume processing, however did not go into kernel mode before accessing the memory. This would cause FS drivers to never be reloaded. This is forward port of the fix for Windows CE 2.12 QFE 15.
Component: FSDBASE
QFE 31 - A freeze occurs when searching with more than approximately 16000 entries in the database, and that totally freezes the computer when loading more than approximately 38000 entries from the PC.
Component: FSMAIN
QFE 74 - When copying files to a full IPSM volume, the copy fails and the source files are removed from the device. Upon failure, the host files are incorrectly deleted.
Component: GWE (GWES)
QFE 15 - ug in MsgWaitForMultipleObjectsEx. Basically, it looks like it returns whenever there's a timer set, even if the timer hasn't expired.
QFE 21 - User alarm is set by UI part of notification subsystem to wake the device at the next time it has to “beep”. When user alarm is set, the next wake-up time is recalculated. When it is cleared, however, it is not.
QFE 37 - Calling GetMenuItemInfo with MENUITEMINFO fMask set to MIIM_TYPE and dwTypeData set to NULL should return the size of buffer needed in the cch field for a menu item of type MFT_STRING. This is necessary, because otherwise someone wanting to get the text out of the menu item is forced to guess at a good buffer size and hope its big enough.
QFE
43 - When a
key is pressed, the value assigned to it is stored in a 4 bytes variable. Some
other info (like whether the key is down or up, it is an extended key, a sound
has to be played, etc.) is stored in form of bit flags into a separate variable;
later on those flags are checked and this information is
ORd into the same variable (4 bytes large) holding the key value.
When a virtual key (for example shift or backspace) is pressed, the current
state of that key is stored in a 1x256 bytes array. The way
its done is to use the value of the virtual key as the index to the
array. This value alone is always between 0 and 255, so that would be fine. The
problem is that since it has possibly been ORd with
some flag constant it may eventually be inconsistent and exceed the size of the
array as in this case, where its
ORd with KEYBD_DEVICE_SILENT (0x01000000), causing an access violation
and making GWES.EXE crash.
Component: HTTPD
QFE 6 - HTTP 1.0 + HTTP 1.1 specs both allow for an arbitrary HTTP request verb. Right now HTTP only accepts the methods GET, POST, and HEAD - all other requests end up generating a 400 bad request error.
QFE 64 - Security issue resolved – WinCE web server may expose root directory files list
QFE 64 - Security issue resolved – Basic authentication may not have properly functioned
QFE 64 - Security issue resolved – NTLM authentication may not have properly functioned
Component: IE
QFE 35 - GenIE always copies downloaded files instead of moving files from the IE cache.
Component: IPNAT
QFE 17 - Problem occurs since IPNAT dereferences a USHORT pointer directly from the ICMP header. For PPP, IP headers are not aligned (due to PPP framing), so this only occurs on PPP links.
QFE 77 - With the NAT component installed from the AddOn Pack, a memory leak occurs when inserting and removing a PCMCIA network card.
Component: IRCOMM
QFE 25 - IRCOMMs Tx and Rx threads do not set their thread priorities correctly.
Component: JSCRIPT
QFE 27 - General Protection Fault when a Stack Overflow is triggered. A message stating that there was a Stack Overflow is expected (that’s what IE does). The stack overflow is caused by a recursive JScript Function. This causes the whole system to crash.
QFE 27 - Potential crash in IE while executing a JSCRIPT routine.
QFE
47 - If a HTML
page contains JScript code that dynamically adds
elements that in turn do some actions in response to events, the sinking events
for the newly created object, although correctly registered, are not connected
to the JScript engine. Thus the associated code is
not executed.
During runtime, script engines implemented according to the Windows Script
Interface, have to go through several states (see MSDN documentation for more
info). If a new object (for example a pushbutton) is dynamically added after the
engine transition from SCRIPTSTATE_STARTED to SCRIPTSTATE_CONNECTED, the engine
doesn’t establish a connection to the object’s sinking event.
Component: KEBYD
QFE 71 - Scan code and time members of KBDLLHOOKSTRUCT are not set when using SetWindowsHookEx.
Component: Media Player
QFE 53 -
The problem is present in
the Windows CE 3.0 Media Player. It’s a manifestation of a known bug in ATL
(search MSDN for "BUG: Reregistered ATL window class may cause access
violation"). The CContainedWindow and
CWindowImpl
Component: MLANG
QFE 49 - FindCharsetFromRegistry was not checking for a NULL Charset. This is seen most often when running under low memory conditions.
Component: MSHTML
QFE 16 - Memory leak in browser control when page refreshes.
QFE 18 - <HR> tag does not display properly. A ruled line is supposed to be translucent; however the ruled line is painted grey.
Component: NDIS
QFE 8 - Losing connection to network after several minutes of running network stress tests. This was found during the development of the Cedar Add-On Pack.
QFE 9 - If an NDIS miniport requests addressing information when the adapter is reset (via the AddressingReset flag in the miniport reset handler), an exception may occur when the system is suspended and resumed.
Component: NK (NKMAIN, NKPRMAIN)
QFE 1 - On MIPS processor, "branch likely" instructions can be interrupted in the delay slot.
QFE 10 - Although WinCE 3.0 has added the new function OEMArmCacheMode,supposedly allowing the developer to specify the C and B bits in a page table entry, this function is not used all the time. Specifically, the functions MakePagePerms() and DemandCommit() build page table entries with both the C and B bits set, with no reference to OEMArmCacheMode.
QFE 14 - LockPages was crashing if the requested virtual address range crossed a 32MB boundary which can occur for a file system larger than 32MB. The fix was simply to detect this boundary condition and break it into two calls to LockPages, one for either side of the 32MB boundary. Same applied to UnlockPages.
QFE 33 - In the x86 architecture, the Kernel allocates memory for the CPU to use as a cache. The cache is used to reduce the penalty associated with a page fault. If code is not in the cache when needed then a page fault occurs and the code will be paged into the cache. If the cache is full then code has to be discarded before the new code is loaded. In a real-time environment the amount of time necessary to free up some cache and load the new code is often the worst case latency. The latency can be improved by allocating more memory for use by the CPU. It is easy to think of memory being allocated on a per process basis. In the 3.0 release enough memory was allocated to support 2 fully in use 32MB process spaces. This does not mean that you can only run 2 processes but it does mean that only a total of 64MB of virtual memory can be mapped by the OS before a possible page fault and cache flush is required. With only enough memory for 2 process space the chances of hit a page fault were high.
QFE 41 - The kernel incorrectly tracks the resource counter for a MUI resource.
QFE
57 - File
decompress can corrupt multi-XIP files on read – the file index was overwritten
with the file index for a specific ROM instead of the global file index
QFE 57 - A MUI DLL’s refcount is decremented when its referenced DLL is decremented and this can cause the MUI DLL’s refcount to be decremented twice
QFE 63 - H/PC 2000 device will hang when a program in FlushROM is loaded. Some functions try to read a file which is in an ATAcard or FlushROM upon Resume. During this time, the system can not access these devices. A thread will wait while holding LLcs Critical Section Object so that another thread can not get the Critical Section Object.
QFE 70 - IST starts are delayed due to being postponed until the next scheduling of an event on SH3 and SH4 processors. This impacts real-time capability
QFE 70 - DCR: Request to modify fatal exception handling in Kernel code. In some circumstances the OS can get into a state where the only course of action is to halt the system. When the OS enters this state is posts a debug message “Halting system”. At that point in time, the kernel has effectively locked up the system. In Windows CE 3.0 this mechanism did not allow an OEM to capture the event nor perform any action. With this QFE the OEM is now informed about the halting condition and able to perform some actions.
o
The
kernel now exports a function pointer that can be overridden by the OEM. If the
default function pointer value is replaced by the address of an OEM function in
the OAL, the OEM function will be called when the kernel goes to halt the OS.
If the OEM does not override the function pointer, the default action is to halt
the system. The kernel declares the following function pointer:
extern
void (*lpNKHaltSystem)(void);
In the OEM’s OAL, the OEM
can reassign the function pointer as follows:
Implement Function
void
OEMHaltSystem (void)
{
…. Do something like reset
the device
}
OAL
Globals:
void
(*lpNKHaltSystem)(void)=OEMHaltSystem;
Or, in
OEMInit:
void
OEMInit()
{
extern void (*lpNKHaltSystem)(void);
….
lpNKHaltSystem =
OEMHaltSystem;
}
The function does not have
any return values or take any parameters. The system will not continue to
function after the OEM is called.
QFE 75 - Incorrect freeing of allocated memory when attempting to load a DLL at a preferred load address may cause the system to crash.
QFE 75 - At the end of the PrefetchAbortHandler, code start executing data rather than actual code. This is caused by a commented out branch to CommonHandler. On an ARMv4, this executes a NOP. On the ARMv5, however, this is another instruction which can cause memory corruption
QFE 79 - Memory leak caused by the MSXML component if the if invalid XML is encountered.
QFE 79 - System crash in the profiling kernel when initially using PROFILE_OBJCALL | PROFILE_BUFFER.
Component: NTLM
QFE 52 - DeleteSecurityContext API was incorrectly calling DereferenceSecurityContext twice, when only the first call was needed.
Component: PEGTERM
QFE 30 - When Pegterm initializes, it doesn’t update its TAPI device ID before calling lineSetDevConfig, so at startup it always does a lineSetDevConfig for TAPI device 0.
Component: PPP / SLiP
QFE 20 - LCP renegotiation does not reset authentication. Also, updated support for a certain wireless card.
QFE 36 - Unable to access internet through SLIP connection.
QFE 39 - Protocol-Reject of CCP or IPCP does not make CE stop sending packets of those types.
QFE 56 - Unable to access internet through SLIP connection due to framing issue in ASYCNMAC.
QFE 68 - PPP fails to work when a PPP server does not provide a gateway IP address.
QFE 68 - IPCP requests DNS even when RASENTRY already contains static entries.
Component: PPTP
QFE 62 - Parsing of a VPN connection address list enters an infinite loop that requires the system to be rebooted.
Component: PWORD
QFE 82 - Font size combo box is too small on displays using a larger font size.
Component: RAPISRV
QFE 67 - When a partnership is established with the device via ActiveSync and is then disconnected, repllog.exe keeps the COM port open for about 40 seconds. During this time, no other connections can be established with the desktop and the device cannot be shut off.
Component: RDP
QFE 48 - Client name is limited to 8 characters.
QFE 48 - Improved data handling for INK quality.
QFE 48 -
Process remains if
connection cancelled before disconnect
Component: RDRNET
QFE 32 - Redir displays the "Duplicate Name" error message when it detects that the network is not up.
Component: REPLLOG
QFE 67 - When a partnership is established with the device via ActiveSync and is then disconnected, repllog.exe keeps the COM port open for about 40 seconds. During this time, no other connections can be established with the desktop and the device cannot be shut off.
Component: RSA
QFE 65 - Integer overflow exception in RSA32.LIB on MIPS platforms when performing RSA operations under stress.
QFE 65 - Memory leak in RSABASE/RSAENH in function CrypteDestroyHash when using HMAC hash type.
Component: SERVERS (ASP)
QFE 29 - After building a MAXALL CE OS from PB 3.0 for CEPC and including the Webserver in the CESysgen platform settings, a potential VBScript error may occur upon execution of an .ASP file from a client machine.
Component: SHDOCVW
QFE 16 - Memory leak in browser control when page refreshes.
QFE 59 - When accessing an ASP script that returns data and set's the content-type header field to a specific MIME type, the content-type is ignored and GenIE attempts to save the file as .asp. This is a forward port of the fix for Windows CE 2.12 QFE 27.
QFE 78 - IESAMPLE deadlocks under low memory conditions.
Component: SHELL
QFE 24 - Shell doesn’t currently check the return value when calling CreateToolhelp32Snapshot(). ToolHelp function Module32First() doesn’t validate input parameters.
QFE 74 - When copying files to a full IPSM volume, the copy fails and the source files are removed from the device. Upon failure, the host files are incorrectly deleted.
Component: SMTP
QFE 13 - Connections from inbox not properly shut down before call is disconnected. Inbox needs to set correct socket linger options to wait for FIN/ACK to be exchanged before terminating link
Component: TAPI
QFE 4 - LineEventProc's handling of LINE_GENERATE incorrectly checks the return value of CheckCallClient and ruins LPTCALLCLIENT's reference-counting.
QFE 4 - Certain tests crash in GetCallIDs().
QFE 4 - LineOpen LINEMAPPER search terminates prematurely.
QFE 7 - Modem may not disconnect successfully if a hang-up is attempted during dialing/initial connection setup.
QFE 23 - lineBlindTransfer should check for NULL lpszDestAddress before calling TSPI_lineBlindTransfer
QFE 23 - Race condition with TAPI and asyncmac
QFE 23 - Exception: misc.c: SendMsgToCallClients()
QFE 23 - TAPI does not recognize that the TSP has removed a call from a conference
QFE 23 - TAPI!TAPIlineGetConfRelatedCalls(), if (ptOpenLine = FindOpenLine/(ptLineApp, ptParent, 0xffffffff))
QFE 23 - TAPI call list becomes corrupted and causes a device.exe exception
QFE 23 - Corrupted call structure causes exception in FindCallClient.
QFE 23 - Remnet connect to unavailable device hangs
QFE 34 - TAPI would NULL a conference call without checking to see if it was the parent of the conference call.
Component: TCP/IP
QFE 2 - When CE is configured as a router, fragmented IP packets are not forwarded.
QFE 54 - IF is not dereferenced if the ref_usecnt is not 0. This can cause a 4-5 minute hang when the network is lost and a connection tries to close.
QFE 72 - Security issue resolved – Kiss of Death Denial of Service (DoS) attack.
Component: TOOLHELP
QFE 24 - Shell doesn’t currently check the return value when calling CreateToolhelp32Snapshot(). ToolHelp function Module32First() doesn’t validate input parameters.
Component: Unimodem
QFE 3 - Delay hanging up a successful connection.
QFE 25 - Must wait a few seconds for first connection to close before creating a new one when using PPP over IRCOMM because connection is closing improperly.
QFE 38 - Reduced the timeout for init commands.
QFE 38 - Reduced the number of retries for init commands.
QFE 38 - On failure, Unimodem now sets the hCallComplete event before calling devlineClose.
QFE 38 - Added new functionality such that the user can specify the number of retries by setting the registry key “HKLM\Drivers\Builtin\IrComm\Unimodem\Settings\DCCRetries” with a DWORD value that represents the number of retries wanted.
QFE 44 - Unimodem would toggle the DTR in AutoBaudRate and cause ActiveSync connections to fail.
QFE 66 - If a modem responds with a string beginning with the character “O”, it will be matched as “OK”. Some radio modems return “OUT OF SERVICE” if out of range, Unimodem sees this as “OK”.
QFE 69 - PEGTERM hangs shell after closing IrDA/GSM session. Priority of PEGTERM thread was being raised by Unimodem and not lowered afterwards causing the mouse input driver to spin.
QFE 81 - Repllog connection times out early. The timeout occurs because of a race condition between threads.
Component: VBSCRIPT
QFE 27 - General Protection Fault when a Stack Overflow is triggered. A message stating that there was a Stack Overflow is expected (that’s what IE does). The stack overflow is caused by a recursive JScript Function. This causes the whole system to crash.
Component: WCELOAD
QFE 50 - DCR: Request for WCELOAD to both flush the registry and provide a hook for OEMs to let them either be called when a module is installed, or to be launched at the end and point them to the .UNLOAD file.
Component: WEBVIEW
QFE 28 - A script error may occur because an empty string is not valid. JScript is actually converting the string versions of "true" and "false" to 1 and 0 (respectively). It apparently doesn’t know how to convert and empty string, which causes the error.
Component: WININET