Skip to content
GitLab
Closed
Issue created by ccrause@ccrauseContributor

Potential buffer overflow when using shortstring var/out parameters

Summary

A discussion regarding shortstrings revealed a shortcoming of the current implementation, where shortstring parameters are assumed to be 255 bytes in length, regardless of the actual declaration of the parameter being passed in. This can lead to buffer overflows, as illustrated below:

System Information

  • Operating system: Embedded, Linux Mint
  • Processor architecture: AVR, x86-64
  • Compiler version: main 569f83e3
  • Device: microcontroller, PC

Steps to reproduce

Pass a shortstring with size smaller than 255 bytes to subroutines that writes more data to the parameter that the original variable's size. See example project.

Example Project

program project1;

var
  s1: string[4] = 'wxyz';
  s2: string[2] = '??';

procedure setStr(out s: shortstring);
begin
  s := '1234'#09'SURPRISE!';
end;

begin
  setStr(s1);
  writeln(s1);
  writeln(s2);
end.

What is the current bug behavior?

Actual output (Linux-64 and AVR):

1234 SURPRISE!
SURPRISE!

What is the expected (correct) behavior?

Expected output:

1234
??

Relevant logs and/or screenshots

Possible fixes

Sven suggested passing the shortstring size as an extra parameter to var (and I assume out) parameters. This comment was for a specific situation (eliminating a temporary variable during string concatenation), but sounds like a general solution to the problem.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information