[fpc-devel] possible unicode buffer overflow
Michael Van Canneyt
michael at freepascal.org
Fri Apr 17 14:15:51 CEST 2026
On Fri, 17 Apr 2026, Marc Weustink via fpc-devel wrote:
> Hi,
>
> In order to track unfreed memory at work, I've written a custom memory
> manager wrapper around the default manager.
> To be sure that the memory isn't corrupted, the returned memory blocks are
> surrounded by guard bytes.
>
> What I see when a string is released that there is no room for the trailing
> null. The free is triggered by FPC_UNICODESTR_DECR_REF, so I assume the extra
> null is somewhere written when creating the string
Unicode strings are supposed to be 00 terminated, AFAIK.
>
> Running fpc 3.2.2 win 64
>
> allocated size: 36 bytes
> guard start: CC BB BB BB BB BB BB CC
> guard end: CC FF FF FF FF FF FF CC
>
> CC BB BB BB BB BB BB CC B0 04 02 00 0D F0 AD BA ................
> 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
> 6E 00 6F 00 62 00 65 00 61 00 74 00 00 00 FF FF n.o.b.e.a.t.....
> FF FF FF CC ....
>
> What you see here is that the first 2 bytes of the end guard are overwritten.
>
> Is this issue known ?
Is the behaviour also there in 3.3.1 ?
Michael.
More information about the fpc-devel
mailing list