Buffer overflow vulnerability in Delphi

Question

I'm interested to know, is Delphi vulnerable to Buffer overflow attack? I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar). When interfacing with Win API there is no other option except using Pchar". is that true? thanks

Answer 1

is Delphi vulnerable to Buffer overflow attack?

MOST languages are susceptible to buffer overflow attacks. A buffer overflow is a coding bug, not a language defect. For example, in Delphi:

var
  buf: array[0..0] of Byte;
  i: Integer;
begin
  Move(buf, i, sizeof(i)); // buffer overflow!
  PInteger(@buf)^ := i;    // buffer overflow!
end;

MOST languages will let you shoot yourself in the foot, if you are not careful. There is only so much hand-holding a compiler can do. Not everything can be avoided at compile-time. Programming is not just about writing code that compiles, but also about writing code that acts correctly and responsibly at runtime.

SOME languages may wrap buffers in such a way that bounds checking is performed at runtime, mitigating the risk of buffer overflows. Delphi is not one of those languages, since it allows you to operate directly on raw memory, so you can pretty much do whatever you want (well, whatever the underlying OS lets you do, anyway). And this is certainly true for Pascal strings.

I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar).

Delphi has no features to avoid all possible kinds of buffer overflows. But, if you write your code to use buffers correctly and sanely, overflows are not likely to happen. This is not limited to just strings, either.

When interfacing with Win API there is no other option except using Pchar". is that true?

It depends on the particular API. Most use simple null-terminated PChar strings, yes. But some use UNICODE_STRING records instead, which use WideChar buffers that are not guaranteed to be null-terminated. Some use ActiveX/COM BSTR (Delphi WideString ) strings instead.

Answer 2

Delphi as IDE? Maybe. As language? Sure. Judge for yourself:

var
  s: String;
  i: Integer;
begin
  s:= 'four';  // Length of string: 4 characters
  for i:= 1 to 1138 do begin  // This loop goes WAY beyond the String's buffer
    write( s[i] );  // What will it access after i=4?
  end;
end;

PChar is needed because the WinAPI is not constructed for Pascal, but Pascal needs to bend for APIs. Buffer overflows are a problem, but it's not like PChar is radioactive and String is Jesus - it's up to the programmer to not be overly stupid.

Answer 3

Buffer overflow attack is not related to any specific language. Those attacks are only possible when the developer wrongly coded his application.

To make it short, it is your responsibility as the developer to write all tests when memory is being written with data from the outside. You have to ALWAYS check if the data length is correct to fit when you write it.

For Delphi, there are tools that helps detect buffer overflow (or underflow and many other bugs). For example madExcept . This tool won't prevent buffer overflow, it will immediately if your program overflow a dynamically allocated buffer. This is a test tool that should not be delivered in released version.