[fpc-devel] possible unicode buffer overflow
Marc Weustink
marc at dommelstein.nl
Fri Apr 17 14:26:25 CEST 2026
On 17/04/2026 14:15, Michael Van Canneyt via fpc-devel wrote:
>
>
> On Fri, 17 Apr 2026, Marc Weustink via fpc-devel wrote:
>
>> Hi,
>>
>> In order to track unfreed memory at work, I've written a custom memory
>> manager wrapper around the default manager.
>> To be sure that the memory isn't corrupted, the returned memory blocks
>> are surrounded by guard bytes.
>>
>> What I see when a string is released that there is no room for the
>> trailing null. The free is triggered by FPC_UNICODESTR_DECR_REF, so I
>> assume the extra null is somewhere written when creating the string
>
> Unicode strings are supposed to be 00 terminated, AFAIK.
>
>>
>> Running fpc 3.2.2 win 64
>>
>> allocated size: 36 bytes
>> guard start: CC BB BB BB BB BB BB CC
>> guard end: CC FF FF FF FF FF FF CC
>>
>> CC BB BB BB BB BB BB CC B0 04 02 00 0D F0 AD BA ................
>> 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
>> 6E 00 6F 00 62 00 65 00 61 00 74 00 00 00 FF FF n.o.b.e.a.t.....
>> FF FF FF CC ....
>>
>> What you see here is that the first 2 bytes of the end guard are
>> overwritten.
>>
>> Is this issue known ?
>
> Is the behaviour also there in 3.3.1 ?
Somehow I expected this response ;) I'll see if I can use 3.3.1
Marc
More information about the fpc-devel
mailing list