Project JEDI - Issue Tracker
Mantis Bugtracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0005403 [JEDI VCL] 00 JVCL Components minor always 2010-11-16 11:28 2012-02-29 16:55
Reporter x_art View Status public  
Assigned To AHUser
Priority normal Resolution fixed  
Status resolved   Product Version 3.40
Summary 0005403: JvJCLUtils.pas vulnerable to a buffer overflow that allows malicious code execution
Description JvJCLUtils.pas
function GetParamStr(P: PChar; var Param: string): PChar;
Buffer: array [Byte] of Char;

The Buffer array is too small for modern OS and should be:

Buffer: array [0..MAX_PATH] of Char;

As result, the program is crashed when a path is longer than 256 bytes.
Additional Information Fixes are below:

function GetParamStr(P: PChar; var Param: string): PChar;
var
  Len: Integer;
  Buffer: array [0..MAX_PATH] of Char; //!!! aggsoft.com
begin
  while True do
  begin
    while (P[0] <> #0) and (P[0] <= ' ') do
      Inc(P);
    if (P[0] = '"') and (P[1] = '"') then
      Inc(P, 2)
    else
      Break;
  end;
  Len := 0;
  while P[0] > ' ' do
    if P[0] = '"' then
    begin
      Inc(P);
      while (P[0] <> #0) and (P[0] <> '"') do
      begin
        if Len>MAX_PATH then raise EOverflow.Create('ParamStr buffer overflow!'); //!!! aggsoft.com
        Buffer[Len] := P[0];
        Inc(Len);
        Inc(P);
      end;
      if P[0] <> #0 then
        Inc(P);
    end
    else
    begin
      Buffer[Len] := P[0];
      Inc(Len);
      Inc(P);
    end;
  SetString(Param, Buffer, Len);
  Result := P;
end;


Tags No tags attached.
Attached Files

- Relationships

-  Notes
(0018112)
outchy (administrator)
2010-11-16 15:12

Well, paths might even be longer than MAX_PATH characters. This number denotes the maximum length for one directory/file name.
(0018188)
AHUser (developer)
2010-11-27 20:36

Fixed in svn revision 12913.
I have replace the code by a complete rewrite.

- Issue History
Date Modified Username Field Change
2010-11-16 11:28 x_art New Issue
2010-11-16 15:12 outchy Note Added: 0018112
2010-11-27 20:36 AHUser Note Added: 0018188
2010-11-27 20:36 AHUser Status new => resolved
2010-11-27 20:36 AHUser Fixed in Version => Daily / SVN
2010-11-27 20:36 AHUser Resolution open => fixed
2010-11-27 20:36 AHUser Assigned To => AHUser
2012-02-29 16:55 obones Fixed in Version Daily / SVN => 3.45


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker