View Issue Details

IDProjectCategoryView StatusLast Update
0005403JEDI VCL00 JVCL Componentspublic2012-02-29 16:55
Reporterx_artAssigned ToAHUser 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.40 
Target VersionFixed in Version3.45 
Summary0005403: JvJCLUtils.pas vulnerable to a buffer overflow that allows malicious code execution
DescriptionJvJCLUtils.pas
function GetParamStr(P: PChar; var Param: string): PChar;
Buffer: array [Byte] of Char;

The Buffer array is too small for modern OS and should be:

Buffer: array [0..MAX_PATH] of Char;

As result, the program is crashed when a path is longer than 256 bytes.
Additional InformationFixes are below:

function GetParamStr(P: PChar; var Param: string): PChar;
var
  Len: Integer;
  Buffer: array [0..MAX_PATH] of Char; //!!! aggsoft.com
begin
  while True do
  begin
    while (P[0] <> #0) and (P[0] <= ' ') do
      Inc(P);
    if (P[0] = '"') and (P[1] = '"') then
      Inc(P, 2)
    else
      Break;
  end;
  Len := 0;
  while P[0] > ' ' do
    if P[0] = '"' then
    begin
      Inc(P);
      while (P[0] <> #0) and (P[0] <> '"') do
      begin
        if Len>MAX_PATH then raise EOverflow.Create('ParamStr buffer overflow!'); //!!! aggsoft.com
        Buffer[Len] := P[0];
        Inc(Len);
        Inc(P);
      end;
      if P[0] <> #0 then
        Inc(P);
    end
    else
    begin
      Buffer[Len] := P[0];
      Inc(Len);
      Inc(P);
    end;
  SetString(Param, Buffer, Len);
  Result := P;
end;


TagsNo tags attached.

Activities

outchy

2010-11-16 15:12

administrator   ~0018112

Well, paths might even be longer than MAX_PATH characters. This number denotes the maximum length for one directory/file name.

AHUser

2010-11-27 20:36

developer   ~0018188

Fixed in svn revision 12913.
I have replace the code by a complete rewrite.

Issue History

Date Modified Username Field Change
2010-11-16 11:28 x_art New Issue
2010-11-16 15:12 outchy Note Added: 0018112
2010-11-27 20:36 AHUser Note Added: 0018188
2010-11-27 20:36 AHUser Status new => resolved
2010-11-27 20:36 AHUser Fixed in Version => Daily / SVN
2010-11-27 20:36 AHUser Resolution open => fixed
2010-11-27 20:36 AHUser Assigned To => AHUser
2012-02-29 16:55 obones Fixed in Version Daily / SVN => 3.45