#27 buffer overflow in TDbfParser.ParseExpression

closed
nobody
None
5
2006-03-12
2005-11-23
Steven Lee
No

in dbf_passer.pas, TDbfParser.ParseExpression:
TDbfFile.RecordSize may exceed the buffer size(4000
bytes).This can happend even when fieldcount is less
than 255.It's better to alloc buffer dynamically.
See my codes as follows:

procedure TDbfParser.ParseExpression(Expression:
string);
var
TempBuffer: PChar; (*array[0..4000] of Char;*)
begin
// clear any current expression
ClearExpressions;

// is this a simple field or complex expression?
FIsExpression := GetVariableInfo(Expression) = nil;
if FIsExpression then
begin
// parse requested
CompileExpression(Expression);

// determine length of string length expressions
if ResultType = etString then
begin
// make empty record
(* TDbfFile(FDbfFile).InitRecord(@TempBuffer[0]);
FResultLen := StrLen(ExtractFromBuffer
(@TempBuffer[0]));*)
//******alloc memory dynamically*******
GetMem(TempBuffer, TDbfFile
(FDbfFile).RecordSize);
try
TDbfFile(FDbfFile).InitRecord(TempBuffer);
FResultLen := StrLen(ExtractFromBuffer
(TempBuffer));
finally
FreeMem(TempBuffer);
end;
end;
end else begin
//........

Discussion

  • Micha Nelissen
    Micha Nelissen
    2006-02-25

    • status: open --> pending
     
  • Micha Nelissen
    Micha Nelissen
    2006-02-25

    Logged In: YES
    user_id=28190

    Thanks. Committed.

     
  • Logged In: YES
    user_id=1312539

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending --> closed