[fpc-devel] possible unicode buffer overflow
Marc Weustink
marc at dommelstein.nl
Fri Apr 17 14:53:53 CEST 2026
Sorry, I can't get lazarus to compile using a 3.3.1 compiler.
I'll sort this out later (if ever, work calls)
Marc
On 17/04/2026 14:26, Marc Weustink via fpc-devel wrote:
>
>
> On 17/04/2026 14:15, Michael Van Canneyt via fpc-devel wrote:
>>
>>
>> On Fri, 17 Apr 2026, Marc Weustink via fpc-devel wrote:
>>
>>> Hi,
>>>
>>> In order to track unfreed memory at work, I've written a custom
>>> memory manager wrapper around the default manager.
>>> To be sure that the memory isn't corrupted, the returned memory
>>> blocks are surrounded by guard bytes.
>>>
>>> What I see when a string is released that there is no room for the
>>> trailing null. The free is triggered by FPC_UNICODESTR_DECR_REF, so I
>>> assume the extra null is somewhere written when creating the string
>>
>> Unicode strings are supposed to be 00 terminated, AFAIK.
>>
>>>
>>> Running fpc 3.2.2 win 64
>>>
>>> allocated size: 36 bytes
>>> guard start: CC BB BB BB BB BB BB CC
>>> guard end: CC FF FF FF FF FF FF CC
>>>
>>> CC BB BB BB BB BB BB CC B0 04 02 00 0D F0 AD BA ................
>>> 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
>>> 6E 00 6F 00 62 00 65 00 61 00 74 00 00 00 FF FF n.o.b.e.a.t.....
>>> FF FF FF CC ....
>>>
>>> What you see here is that the first 2 bytes of the end guard are
>>> overwritten.
>>>
>>> Is this issue known ?
>>
>> Is the behaviour also there in 3.3.1 ?
>
> Somehow I expected this response ;) I'll see if I can use 3.3.1
>
> Marc
>
> _______________________________________________
> fpc-devel maillist - fpc-devel at lists.freepascal.org
> https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
More information about the fpc-devel
mailing list