View Issue Details

IDProjectCategoryView StatusLast Update
0006570JEDI VCL00 JVCL Componentspublic2019-05-03 11:10
ReporterrarogAssigned Toobones 
Status resolvedResolutionfixed 
Product VersionDaily / GIT 
Target VersionFixed in VersionDaily / GIT 
Summary0006570: JvMemoryData easilly corrupts buffer when using many fields
DescriptionTJvMemoryData.InitFieldDefsFromFields can easily corrupt the buffer without throwing any error.

The problem root is in this line:
Inc(Offset, CalcFieldLen(DataType, Size) + 1);

It just increases the offset without checking, if it causes a cycle getting an overflow when reaching values over 65535.

To reproduce it, it should be enough to load a data with 22 WideString fields. Each of them is initialised by default to hold 1500 chars, each char takes 2 bytes.
So 1500 * 2 * 22 = 66000 resulting in the buffer to be in between and corrupt memory.
TagsNo tags attached.



2018-07-18 15:57

administrator   ~0021531

Could you check if the issue is still present in the latest GIT content? If yes, please provide the zipped sources of an application showing this.


2018-10-28 17:34

reporter   ~0021587

In the current version this line mentioned seems to have been changed to this one:
Inc(Offset, CalcFieldLen(FieldDefList[I].DataType, FieldDefList[I].Size) + 1);

While it looks different is still doesn't check if the offset variable (which is a Word) overflows.

There should be a if before actually incrementing offset ensuring that it is only incremented when it won't overflow. In case of an overflow raising an exception might be appropriate.


2019-04-25 22:22

reporter   ~0021742

I just created a pull request with a proposed fix for this. See here:


2019-05-01 10:27

reporter   ~0021785

Replaced pull request with this improved one:

Issue History

Date Modified Username Field Change
2017-05-08 15:43 rarog New Issue
2018-07-18 15:57 obones Note Added: 0021531
2018-07-18 15:57 obones Status new => feedback
2018-10-28 17:34 mh Note Added: 0021587
2019-04-25 22:22 mh Note Added: 0021742
2019-05-01 10:27 mh Note Added: 0021785
2019-05-03 11:10 obones Status feedback => resolved
2019-05-03 11:10 obones Fixed in Version => Daily / GIT
2019-05-03 11:10 obones Resolution open => fixed
2019-05-03 11:10 obones Assigned To => obones