[fpc-devel] possible unicode buffer overflow
Marc Weustink
marc at dommelstein.nl
Fri Apr 17 16:36:47 CEST 2026
I can't believe it, but ansistrings, resource loading, string
formatting, all are affected and writing one, two or even more bytes
behind the buffer.
Marc
On 17/04/2026 14:53, Marc Weustink via fpc-devel wrote:
> Sorry, I can't get lazarus to compile using a 3.3.1 compiler.
> I'll sort this out later (if ever, work calls)
>
> Marc
>
>
> On 17/04/2026 14:26, Marc Weustink via fpc-devel wrote:
>>
>>
>> On 17/04/2026 14:15, Michael Van Canneyt via fpc-devel wrote:
>>>
>>>
>>> On Fri, 17 Apr 2026, Marc Weustink via fpc-devel wrote:
>>>
>>>> Hi,
>>>>
>>>> In order to track unfreed memory at work, I've written a custom
>>>> memory manager wrapper around the default manager.
>>>> To be sure that the memory isn't corrupted, the returned memory
>>>> blocks are surrounded by guard bytes.
>>>>
>>>> What I see when a string is released that there is no room for the
>>>> trailing null. The free is triggered by FPC_UNICODESTR_DECR_REF, so
>>>> I assume the extra null is somewhere written when creating the string
>>>
>>> Unicode strings are supposed to be 00 terminated, AFAIK.
>>>
>>>>
>>>> Running fpc 3.2.2 win 64
>>>>
>>>> allocated size: 36 bytes
>>>> guard start: CC BB BB BB BB BB BB CC
>>>> guard end: CC FF FF FF FF FF FF CC
>>>>
>>>> CC BB BB BB BB BB BB CC B0 04 02 00 0D F0 AD BA ................
>>>> 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
>>>> 6E 00 6F 00 62 00 65 00 61 00 74 00 00 00 FF FF n.o.b.e.a.t.....
>>>> FF FF FF CC ....
>>>>
>>>> What you see here is that the first 2 bytes of the end guard are
>>>> overwritten.
>>>>
>>>> Is this issue known ?
>>>
>>> Is the behaviour also there in 3.3.1 ?
>>
>> Somehow I expected this response ;) I'll see if I can use 3.3.1
>>
>> Marc
>>
>> _______________________________________________
>> fpc-devel maillist - fpc-devel at lists.freepascal.org
>> https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
>
> _______________________________________________
> fpc-devel maillist - fpc-devel at lists.freepascal.org
> https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
More information about the fpc-devel
mailing list