|Anonymous | Login | Signup for a new account||2019-05-25 16:24 CEST|
|Main | My View | View Issues | Change Log | Roadmap | Docs|
|Viewing Issue Simple Details|
|ID||Category||Severity||Reproducibility||Date Submitted||Last Update|
|0006570||[JEDI VCL] 00 JVCL Components||crash||always||2017-05-08 15:43||2019-05-03 11:10|
|Status||resolved||Product Version||Daily / GIT|
|Summary||0006570: JvMemoryData easilly corrupts buffer when using many fields|
TJvMemoryData.InitFieldDefsFromFields can easily corrupt the buffer without throwing any error.
The problem root is in this line:
Inc(Offset, CalcFieldLen(DataType, Size) + 1);
It just increases the offset without checking, if it causes a cycle getting an overflow when reaching values over 65535.
To reproduce it, it should be enough to load a data with 22 WideString fields. Each of them is initialised by default to hold 1500 chars, each char takes 2 bytes.
So 1500 * 2 * 22 = 66000 resulting in the buffer to be in between and corrupt memory.
|Tags||No tags attached.|
|Could you check if the issue is still present in the latest GIT content? If yes, please provide the zipped sources of an application showing this.|
In the current version this line mentioned seems to have been changed to this one:
Inc(Offset, CalcFieldLen(FieldDefList[I].DataType, FieldDefList[I].Size) + 1);
While it looks different is still doesn't check if the offset variable (which is a Word) overflows.
There should be a if before actually incrementing offset ensuring that it is only incremented when it won't overflow. In case of an overflow raising an exception might be appropriate.
I just created a pull request with a proposed fix for this. See here:
Replaced pull request with this improved one:
|2017-05-08 15:43||rarog||New Issue|
|2018-07-18 15:57||obones||Note Added: 0021531|
|2018-07-18 15:57||obones||Status||new => feedback|
|2018-10-28 17:34||mh||Note Added: 0021587|
|2019-04-25 22:22||mh||Note Added: 0021742|
|2019-05-01 10:27||mh||Note Added: 0021785|
|2019-05-03 11:10||obones||Status||feedback => resolved|
|2019-05-03 11:10||obones||Fixed in Version||=> Daily / GIT|
|2019-05-03 11:10||obones||Resolution||open => fixed|
|2019-05-03 11:10||obones||Assigned To||=> obones|
|Mantis 1.1.6[^] Copyright © 2000 - 2008 Mantis Group|